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operators 

People who are responsible 
for managing shared 
computers. 


Overview 


Shared computers are commonly found in schools, libraries, Internet and gaming cafés, 
community centers, and other locations. Often, staff members who lack technical training 
are asked to manage shared computers in addition to their primary responsibilities. 


Managing shared computers can be difficult, time-consuming, and expensive. 
Unrestricted, users can change the desktop appearance, reconfigure system settings, and 
introduce spyware, viruses, and other harmful programs. Fixing damaged shared 
computers costs significant time and effort. 


User privacy is also an issue. Shared computers often use shared accounts where Internet 
history, online documents, and cached Web pages are available from one person to the 
next. 


The Microsoft® Shared Computer Toolkit for Windows® XP provides a simple and effective 
way to defend shared computers from untrusted users and malicious software, restrict 
untrusted users from system resources, and enhance and simplify the user experience. 
The Toolkit runs on genuine copies of Windows XP Professional, Windows XP Home 
Edition, and Windows XP Tablet PC Edition. 


This overview section covers the following topics: 
e Audience 
e Supported environments 
e Tools summary 
e Chapter summary 
e Style conventions 
e Resources and community 


e Download the toolkit 





Audience 


The Microsoft Shared Computer Toolkit for Windows XP is designed for people who install, 
configure, and manage shared computers in either public or private settings. 


Throughout this Handbook, people who manage shared computers are referred to as 
operators. Shared computer operators include teachers, technology coordinators, 
librarians, and café staff who have technology skills that span from beginner to expert. 
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Important 


Windows Disk Protection has 
special disk partitioning 
prerequisites. For more 
information, see Chapter 2, 
"Prepare the Disk for 
Windows Disk Protection." 





Tools Summary 


The Toolkit includes the following graphical tools: 


Getting Started. Provides access to computer settings and utilities and helps first- 
time operators learn the Toolkit basics quickly. 


Windows Disk Protection. Protects the Windows partition (typically the C: drive) 
that contains the Windows operating system and other programs from being 
permanently modified during a user session. Disk changes made are cleared with 
each restart unless an administrator chooses to save them. 


Windows Restrictions. Restricts user access to programs, settings, Start menu 
items, and locks shared local user profiles against permanent changes. (This tool 
is specifically for use in environments that do not use the Active Directory® 
directory service and Group Policy.) 


User Profiles. Creates and deletes user profiles. Using the tool, you can create 
user profiles on alternative drives to allow the profiles to persist data even though 
Windows Disk Protection is on. You can also use the tool to comprehensively 
delete profiles that have been locked by the Windows Restrictions tool. 


Accessibility. Makes Windows accessibility options and utilities such as 
StickyKeys, FilterKeys, and Magnifier available to users who have been restricted 
from accessing Control Panel and other system settings. 


The Toolkit also provides several command-line tools. In addition to a scriptable 
command-line version of each of the graphical tools, the Toolkit has the following: 


AutoDemo. Configures a computer with accounts and profiles so that you can 
demonstrate the Toolkit. This command should be run only on a demonstration 
computer, because it configures accounts and performs other Toolkit functions. 


AutoLogon. Configures an account to automatically log on to the computer. This 
tool is useful if you use third-party authentication software in place of Windows 
authentication (which is typical in some libraries and Internet cafés). 


AutoRestart. Configures an account so that a program runs automatically each 
time a user logs on with that account. 


AutoRunOnce. Configures an account so that a program runs automatically the 
next time a user logs on with that account. Subsequent logons are unaffected. 


CriticalUpdates. Forces the computer to download and install critical updates 
without waiting for the next critical updates cycle in Windows Disk Protection. 


SCTReport. Creates a Shared Computer Toolkit report that can be used by 
Microsoft Support when troubleshooting issues with the Toolkit. 


SleepWakePC. Puts a shared computer into a sleep state at a specific time (to 
conserve energy) and then wakes it to perform scheduled critical updates. 


Welcome. Removes accounts listed on the Welcome screen, to ensure that users 
aren’t confused or tempted by administrative accounts in the Welcome logon list. 


domain 

A logical grouping of 
networked computers that 
share a central directory 
that contains user accounts 
and security information. 


Active Directory 

The Windows directory 
service for managing 
computers. For more 
information, see the official 
Windows Server 2003 
Active Directory Web site. 


Important 


The first seven chapters 
represent the steps you 
should follow to install and 
use the Toolkit and improve 
the security of your shared 
computer environment. 
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Supported Environments 


The Toolkit can be used in either workgroup or domain environments. 


Workgroups 


All of the tools in the Toolkit have been designed to help manage individual computers or 
computers that are members of Windows workgroups. The Toolkit does not need a server 
infrastructure — you can use it on one computer or hundreds of computers without 
requiring any server-based management tools. 


To use the Toolkit on multiple computers, each computer must have the Toolkit installed. 
This will allow you to set up each computer as you like using Windows Restrictions, 
Windows Disk Protection, and the other tools. 


Domains 


Some of the tools in the Toolkit have been designed to help protect domain-joined 
computers that are part of an Active Directory domain. 


Windows Disk Protection can be used in domain environments to protect computers from 
unwanted changes. Windows Disk Protection was designed to work well on domain-joined 
computers. 


Windows Restrictions was not designed for domain environments. If you provide, or want 
to provide, unique accounts and passwords to your patrons, or your computers are already 
part of a Windows domain, using Active Directory with Group Policy is a better solution for 
restricting user activities. Group Policy has the added benefits of greater flexibility and 
central management. Group Policy has the added benefits of greater flexibility and central 
management, whereas the Windows Restrictions tool is only intended for managing local 
shared accounts. 


Operators of domain-joined computers should read Chapter 10, “The Shared Computer 
Toolkit in Domain Environments”. 





Chapter Summary 


The first seven chapters in the Handbook follow the basic process that you will use to 
install and use the Toolkit and improve the security of your shared computer environment. 
The remaining chapters and appendix provide additional information that will help you to 
troubleshoot, perform advanced scenarios, and learn about topics related to the Toolkit. 


Chapter 1: Installation 


This chapter covers the prerequisites that a computer must meet before you install the 
Toolkit. It also covers how to validate Windows XP through the Windows Genuine 
Advantage program, install the Toolkit, and use the Getting Started tool. 


Chapter 2: Prepare the Disk for Windows Disk Protection 


This chapter helps you understand the requirements for using Windows Disk 
Protection. It covers the two best methods for ensuring sufficient unallocated disk 
space exists for Windows Disk Protection: 


e ~=Using a third-party partitioning utility such as PartitionMagic 8.0 to resize an 
existing partition that contains the Windows operating system and program files. 
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e Using Windows XP Setup to configure a primary partition and leave unallocated 
space on the disk. 


Chapter 3: User Profiles 


This chapter covers the creation of local shared accounts, creating profiles for each 
user account, and configuring each profile by customizing Windows settings, Start 
menus, and programs. 


Chapter 4: Windows Restrictions 


This chapter describes how to use the Windows Restrictions tool to restrict and lock 
user profiles on the computer; to protect against unknown, untrusted users. 


Chapter 5: The Restricted User Experience 


This chapter illustrates the experience that typical users will have using a shared 
account that has been restricted with the Windows Restrictions tool. It provides an 
example of a typical restricted desktop, an introduction to the Accessibility tool, and 
describes available user resources. It covers how to test user accounts by logging on 
as each user to make sure that restrictions work as you intend. 


Chapter 6: Windows Disk Protection 


This chapter describes how to turn on Windows Disk Protection to clear changes to 
the disk with every restart and schedule critical software update installs. It also 
describes how to save disk changes or retain disk changes when Windows Disk 
Protection is on. 


Chapter 7: Security Checklist 


This chapter provides important information to improve the security of shared 
computers and the surrounding environment beyond what the tools in the Toolkit can 
automate. 


Chapter 8: Troubleshooting 
This chapter provides troubleshooting advice for each of the tools in the Toolkit. 
Chapter 9: Advanced Scenarios 


This chapter focuses on the most common advanced scenarios that operators may 
need when using the Toolkit to help manage a shared computer environment. 


Chapter 10: The Shared Computer Toolkit in Domain Environments 


This chapter describes using the Toolkit in environments that have one or more of the 
following: 


e = Active Directory 

e Central software distribution services 

e Aneed to provide multiple languages on each computer 
Appendix A: Technical Primer 


This appendix covers several technologies and features that are important to 
understand when you work with the Toolkit. 


Acknowledgements 
This section lists the people involved in developing the Shared Computer Toolkit. 
Links 


This section lists the full URL for all of the hyperlinks in this Handbook; for people 
reading a printed copy. 
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Index 
The section lists common terms used in the Handbook with page number references. 
Notes 


This section is used to record information you need while using the Toolkit. 





Style Conventions 


The following table lists the style conventions that are used in the Handbook. 





aT Tg CET TF 
Bold Bold is applied to file names and user interface elements. 
Italic Italic is applied to characters that the user types, but which they can 


choose to change. Italic characters that appear within angled brackets 
represent variable placeholders for which the user must supply specific 
values. Example: 


- or - 
</talic> 
<Filename.ext indicates that you should replace the italicized 


filename. extwith another file name that is appropriate for your 
configuration. 


Italic is also used to represent new terms. Example: 


A disk partitionis a \ogical compartment on a physical disk drive. 





Screen Text font This font defines output text that displays on the screen. 





Left margin text The left margin is used for terms and definitions. 





A Note A Note alerts you to information that can help you to complete a task or 
La understand a concept. 





Important An Important notice alerts you to information that is essential to 
completing a task. This notice might also be used to warn you to take or 
avoid a specific action. 








Procedures Procedures appear in shaded boxes so that they stand out on the page. 








Resources and Community 


The Toolkit includes a number of resources with useful information about the Toolkit. The 
following resources are available in the Microsoft Shared Computer Toolkit program folder 
on the Start menu after you install the Toolkit: 


e Shared Computer Toolkit Handbook. This Handbook provides detailed instructions for 
installing and using the Toolkit. The Handbook also covers advanced topics, best 
practices, and technical information. 


e Shared Computer Toolkit Help. The help files included with the Toolkit detail the 
features and functionality of each tool. 


e Shared Computer Toolkit Frequently Asked Questions. Common questions and 
answers about the Toolkit. 
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e Online Resources and Community. A Web site and newsgroup dedicated to helping 
organizations with shared access computers help and learn from each other—while 
meeting others in the shared access community. 


For more information about the Toolkit and to participate in discussions with other 
operators, see the Shared Access Resources and Community Web site. 





The community is also intended as a place for you to provide feedback on the Toolkit and 
this Handbook, including your ideas for future releases. 


For users, the Toolkit installation adds two new resources to the All Users Start menu: 


e Online Resources for Using Public Computers. An online Web site that contains links 
to resources for children, teenagers, and adults about how to use computers, learn 
more about Windows XP, and use the Internet safely. 


e Accessibility. A shortcut to the Accessibility tool so that all users can access the 
accessibility features of Windows, even if they have been restricted. 





. Important 
These software requirements 
must be fulfilled before you 
install the Toolkit. 


4, Important 

Only the account that installs 
the Toolkit will have Start 
menu icons for the tools. 


\, Important 


Some security software may 
report a Suspicious or 
malicious script error during 
installation and when you use 
the Toolkit. If this happens, 
you need to authorize Toolkit 
scripts to execute. For more 
information, see Chapter 8, 
"Troubleshooting." 


Chapter 1: Installation 


This chapter covers the following topics: 

e Software requirements 

e Software recommendations 

e Install the Toolkit from the Download Center 
e Install the Toolkit from CD 

e Set up the Toolkit (OEM pre-installations only) 
e §6Getting started 

e Uninstall the Toolkit 





Software Requirements 


The Microsoft® Shared Computer Toolkit for Windows® XP requires the following: 


e Windows XP Professional, Windows XP Home Edition, or Windows XP Tablet PC 
Edition. 


e §6Service Pack 2 (SP2) installed. 


e Internet access to perform Windows Genuine Advantage validation and register your 
copy of the Toolkit. 





Software Recommendations 


The Shared Computer Toolkit will not remove or stop malicious software that is already on 
the computer. The computer must be trustworthy before you install the Toolkit. 


Microsoft recommends you have the following software installed: 
e All of the latest critical updates from the Microsoft Update Web site. 


e Ensure the computer is free of malicious software by having up-to-date antivirus and 
antispyware software installed and running. 


e Adobe Acrobat Reader to view the PDF version of this Handbook. 
e Trusted programs and Microsoft ActiveX® controls your patrons may require. 


Some software is generally inappropriate for shared computers, depending on your 
specific usage scenarios. You should consider not installing or removing the following 
types of products from shared computers: 


e Desktop search utilities, because they may reveal information on the computer you 
don’t want users to see. 


e E-mail clients that require configuration, such as Microsoft Outlook® or Outlook 
Express, because they may take too long for users to use. 


e Windows components, such as Fax Services and Internet Information Services (IIS). 
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Install the Toolkit from the Download Center 


You can download the Toolkit from the Microsoft Download Center. 








To download and install the Toolkit 
cle 


Log on as the Toolkit administrator; a local administrative account that will use the 
tools in the Toolkit. 


Download the installation file named Shared_Computer_Toolkit_ENU.msi from the 
Shared Computer Toolkit Download Page. 

If prompted, first validate your copy of Windows XP through Windows Genuine 
Advantage. 

Double-click the downloaded installation file to start the installation. 


Review the License Agreement page, and, if the terms are agreeable to you, click 
| Agree and then click Next. 


On the Registration page, click Register Now, complete the registration process, and 
enter the registration code you receive. You can use the same registration code to 
install the Toolkit on all of the computers in your environment. 


On the Installation Folder page, click Next. 
On the Confirm Installation page, click Next. 


On the Installation Complete page, click Close to exit. The Getting Started tool should 
open. 








Install the Toolkit from CD 


If you received the Toolkit on CD with a physical copy of the Handbook, you can install the 
Toolkit from this CD. 








To install the Toolkit from CD 
le 


Log on as the Toolkit administrator; a local administrative account that will use the 
tools in the Toolkit. 


Insert the CD into the CD-ROM drive on your computer. If the CD does not start 
automatically, double-click AutoRun.hta on the CD. 


If required, click the Windows Genuine Advantage validation link to perform the 
validation process. 


Click Install the Toolkit. 





Review the License Agreement page, and, if the terms are agreeable to you, click 
| Agree and then click Next. 


On the Registration page, click Register Now, complete the registration process, and 
enter the registration code you receive. You can use the same registration code to 
install the Toolkit on all of the computers in your environment. 


On the Installation Folder page, click Next. 
On the Confirm Installation page, click Next. 


On the Installation Complete page, click Close to exit. The Getting Started tool should 
open. 
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Set Up the Toolkit (OEM pre-installations only) 


If you receive a new computer that has the Shared Computer Toolkit pre-installed, you 
need to perform the Toolkit setup process. 


Log on as the Toolkit administrator (a local administrator account you want to use for 
Toolkit administration) and double-click the Set Up the Shared Computer Toolkit icon on 
the desktop. 


This setup process will: 


Present you with the Toolkit License Agreement to review. 


Start the Windows Genuine Advantage validation process. 


Install all of the Start menu icons for the Toolkit administrator. 


Remove the Set Up the Shared Computer Toolkit icon. 


If selected, open Getting Started. 





Getting Started 


After the installation process finishes, the Getting Started tool will open (unless you 
cleared the Show Getting Started check box during installation). Getting Started also 
opens by default each time you log on to the shared computer with the Toolkit 
Administrator account, which is the account you used to install the Toolkit. Getting Started 
provides an overview of and shortcuts to the tools and resources available in the Toolkit. 
Getting Started presents the following steps and advice to help you start using the Toolkit 


quickly: 


Step 1. Prepare the Disk for Windows Disk Protection. In this section, the Getting 
Started tool determines whether the shared computer’s disk is properly 
configured for Windows Disk Protection. If it is not, the tool provides advice for 
configuring the disk. The tool also shows whether Windows Disk Protection is 
currently on or off. You can learn more about preparing a disk for Windows Disk 
Protection in Chapter 2, “Prepare the Disk for Windows Disk Protection.” 


Step 2. Select Computer Security Settings. This section provides valuable options 
for improving the security of the shared computer. Unlike the restrictions 
available in the Windows Restrictions tool, which are applied on a per-user basis, 
the options in this section apply to anyone who uses the shared computer. 
Options you can select in this section include: 


Oo 


Prevent account names from being saved in the CTRL+ALT+DEL logon 
dialog. By default, Windows displays the user name that was last used to 
log on to Windows in the traditional logon dialog box shown when you 
press CTRL+ALT+DEL at the Windows Welcome screen. 


Prevent Windows from caching Passport or domain credentials within 
user profiles. When this check box is selected, users must enter their 
Passport and domain credentials each time they are required. Windows 
does not save them between user sessions. 


Prevent logon to locked (or roaming) user profiles that can not be found 
to improve security. Usually, Windows creates a new (and potentially 
unrestricted) user profile when a person tries to log on with a profile that 
Windows cannot locate. This option prevents that from happening. 
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o Remove cached copies of locked (or roaming) user profiles to improve 
privacy and disk space. When this option is selected, Windows does not 
save the profiles for locked (or roaming) user profiles. This prevents other 
people from being able to browse through the profiles of people who 
have previously logged on. 


o Remove the Shut Down and Turn Off Computer logon options. This option 
removes the ability to turn off the computer from the Start menu and the 
Windows Welcome screen. 


o Use the Welcome Screen. This option turns on the Windows Welcome 
screen, which displays a list of available user accounts on the computer 
when Windows starts up. 


o Remove Administrator from the Welcome screen. This option prevents 
the default Administrator account from being displayed on the Welcome 
screen. You can press CTRL+ALT+DEL twice to access the traditional 
logon dialog box, in which you can type the user name and password 
directly to log on with any user account not shown on the Welcome 
screen. 


e Step 3. Create a Public Account for Shared Access. This section provides 
guidance for creating a local limited user account to be used for shared access to 
the computer. On many shared computers, there is just one user account that is 
shared by everyone who uses the computer. This section provides a shortcut to 
the User Accounts tool that lets you create the account. 


e Step 4. Configure the Public User Profile. This section provides guidance for 
logging on with the new Public account to configure Windows settings, printers, 
and programs for the account. After configuring the Public user profile, you will 
need to log off and then log back on as the Toolkit Administrator to continue with 
the Getting Started tool. 


e Step 5. Restrict and Lock the Public User Profile. This section provides a shortcut 
to the Windows Restrictions tool and guidance for using the tool to lock and 
restrict the Public user profile. 


e Step 6. Test the Public User Profile. This section provides guidance for logging on 
to the Public user profile so that you can test the effectiveness of your 
configuration and restrictions for the account. After testing the Public user profile, 
you will need to log off and then log back on as the Toolkit Administrator to 
continue with the Getting Started tool. 


e Step 7. Turn on Windows Disk Protection. This section provides a shortcut to the 
Windows Disk Protection tool, along with guidance for turning on the tool and 
configuring it to download and install critical updates. 


e Step 8. You’re Done! Learn More About the Toolkit. This section provides links to 
the Shared Computer Toolkit Handbook and Shared Computer Toolkit Help. 





Uninstall the Toolkit 


You can uninstall the Toolkit at any time by using the Add or Remove Programs tool in 
Windows XP. However, certain features of the Toolkit will no longer be available after the 
Toolkit is uninstalled, such as all aspects of Windows Disk Protection. 
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If Windows Disk Protection is on, the uninstall process will prompt you to save changes to 
disk and restart the computer. If you do not click Yes to this prompt, the next time you 
restart your computer the Toolkit will still be installed. This is expected behavior. 


Before you uninstall the Toolkit, turn off the following specific features within all user 
profiles that use them: 


e Session Timers. You must turn off timers for mandatory logoff and idle logoff 
(make sure that each entry is blank) in the General Settings section of the 
Windows Restrictions tool. 


e ~— Restart at Logoff. Clear the check box for this setting in the General Settings 
section of the Windows Restrictions tool. 


e AutoRestart. Set this command-line tool to disabled, if you used it to automatically 
restart a specific program. 


The following features will still be available after you uninstall the Toolkit: 


e Recommended Restrictions for Shared Accounts. Any restrictions selected in the 
Recommended Restrictions for Shared Accounts section of the Windows 
Restrictions tool remain in effect. 


e Optional Restrictions. Any restrictions selected in the Optional Restrictions section 
of the Windows Restrictions tool remain in effect. 


e Locked Profiles. Profiles that have been locked with the Windows Restrictions tool 
will remain locked. 


e AutoLogon Settings. Any account configured to log on automatically with the 
AutoLogon command-line tool will remain in effect. 


e Getting Started. Computer security options selected in the Getting Started tool will 
remain in effect. 


e Welcome. Settings specified with the Welcome command-line tool will remain in 
effect. 


v 


I< 





Note 


If the terms in this chapter 
are difficult to understand, 
you might want to review the 
Disks and Partitions section 
of Appendix A, “Technical 
Primer.” 


Note 


The protection partition can 
also use free space in an 
extended partition, as long as 
all of the logical drives in the 
extended partition are 
formatted and labeled. 


Chapter 2: Prepare the Disk for 
Windows Disk Protection 


The Windows Disk Protection tool protects the Microsoft® Windows® XP operating system 
and program files from being permanently changed on the Windows partition — typically 
the C: drive. When Windows Disk Protection is on, users can work as usual and Windows 
behaves as expected. However, all disk changes made aren’t actually being made to the 
Windows partition - they are stored temporarily in another location. 


When the computer restarts, Windows Disk Protection returns the Windows partition to its 
original condition, clearing the changes made since the previous restart. This is a powerful 
security feature for shared computers. 


Windows Disk Protection requires special preparation of the hard disk on the computer, 
which is explained through the following topics: 


e Windows Disk Protection requirements 
e = Resize an existing partition 
e Size the disk during Windows XP Setup 





Windows Disk Protection Requirements 


Windows Disk Protection requires a minimum of 1 GB of unallocated disk space. This 
unallocated disk space will become the protection partition—for storing disk changes 
temporarily when Windows Disk Protection is turned on. 


To turn on Windows Disk Protection, you must fulfill the following requirements: 


e Ensure that at least 1 GB or approximately 10 percent of the Windows partition 
(typically the C: drive) is available as unallocated disk space. 


e The unallocated disk space must follow a primary partition; it cannot be at the 
beginning of the disk. 


e The disk that contains unallocated disk space may have no more than three primary 
partitions. 


You can use the Disk Management utility to view the current partitions on the hard disk. 








To view current partitions by using the Disk Management utility in Windows XP 
1. Logon as the Toolkit administrator. 


2. Click Start, and then click Run. 
3. Inthe Run dialog box, type diskmgmt.msc and then click OK. 


Alternatively, you can right-click My Computer, click Manage, and then click Disk 
Management. 








20 Microsoft Shared Computer Toolkit for Windows XP Handbook 


The following figure shows the Disk Management utility on a computer with a single 40 GB 
hard disk. The hard disk has a 36 GB Windows partition (the C: drive) and 4 GB of 
unallocated disk space for Windows Disk Protection. 
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Figure 2.1 Unallocated disk space should be 1 GB or approximately 10 percent of the size 
of the Windows partition, whichever is greater 











persistent user data when The following table provides several hard disk configuration examples: 
Windows Disk Protection is on 
are described in Chapter 9, DEY MeL 4 Prati Ct) Om Unallocated or free space (1 GB = 
“Advanced Scenarios.” iN) 1024 MB) 

30 GB 27 GB 3 GB 

80 GB 72 GB 8GB 

120 GB 108 GB 12 GB 

250 GB 225 GB 25 GB 





Most computers do not come with unallocated disk space—the entire disk is typically fully 
partitioned, often as a single C: drive. The following sections provide two options for 
creating the unallocated disk space necessary for Windows Disk Protection. 





Resize an Existing Partition 


If your computer already has Windows XP installed and you do not want to reinstall and 
reconfigure Windows and other programs, you need a third-party disk utility to resize the 
Windows partition and leave unallocated disk space for Windows Disk Protection. 


This section describes how to use Norton PartitionMagic 8.0 to create the unallocated disk 
space required for Windows Disk Protection. 


Alternatively, you can use TeraByte Unlimited Bootlt Next Generation. Full instructions and 
downloadable trial software are available on the TeraByte Unlimited Web site. 


You can locate other disk partitioning utilities by searching Windows Marketplace. 
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Note 


For the best results, start 
PartitionMagic 8.0 by starting 
the computer from the 
program CD—not by starting 
the program from within 
Windows. You should also 
make a full backup before 
you begin this procedure. 


Note 


Make sure you leave enough 
room for Windows XP and all 
necessary programs, typically 
at least 10 GB for the 
Windows partition. In this 
example, the 40 GB partition 
is resized to 36 GB. 


Chapter 2: Prepare the Disk for Windows Disk Protection 








To resize a partition using PartitionMagic 8.0 


1. 
2. 
St 


Insert the PartitionMagic CD into the CD-ROM drive on the computer. 
If the program starts automatically, click Exit. 


Click Start, click Turn Off Computer, and then click Restart. Ensure the computer 
starts from the PartitionMagic CD. 


After PartitionMagic starts, at the command prompt, type 1 for Norton PartitionMagic, 
and then select the language you want to use. 


In the main window for the program (shown in the following figure) choose a hard disk 
by clicking the drop-down menu on the main toolbar. The example in the following 
figure shows a 40 GB hard disk with a single primary partition. 
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Figure 2.2 The PartitionMagic 8.0 main window 








6. 


Click the partition that you want to resize, click Operations, and then click 
Resize/Move. 


In the Resize/Move Partition dialog box (shown in the following figure), in the Free 
Space After box, type the amount of unallocated space to reserve. Use this formula: 
Number of GB * 1024. The following example shows 4096 (4*1024). The exact 
number is not important, as long as it is greater than 1024 (1 GB). 
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Resize / Move Partition - (Unformatted) 





H Minimum Size: 7.8 MB Maximum Size: 40,954.7 MB 
J Note 
SS reespoceBote: [PE 2] ve 
space as free space after. New Size: 6960.0 ed iy 
Free Space After: 4096] : MB 


Information: This partition crosses the 1024 cylinder boundary and 
may not be bootable. 


cont |__| 





Figure 2.3 Resizing a partition in PartitionMagic 8.0 





8. Click OK and then click Apply to resize the partition. It will take a few minutes to 
complete. 


9. After it finishes, click Exit, remove the CD, restart the computer, and log on to 
Windows as the Toolkit administrator. 


10. Within a minute after you log on to Windows, a System Settings Change dialog will 
appear that asks if you want to restart your computer. Click No. The computer is now 
ready for Windows Disk Protection to be turned on. 





After completing these steps, you are ready to proceed to Chapter 3, “User Profiles.” 





AX important Size the Disk During Windows XP Setup 
Deleting partitions will destroy If you plan to perform a clean installation of Windows XP, the best way to prepare the hard 
any data on that partition. disk for Windows Disk Protection is to create a primary partition of the appropriate size 


Only use this method if you do 
not need to preserve any 
information on the computer 
and are willing to reinstall After you start Windows XP Setup (which you can do by starting the computer with the 
Windows, all necessary Windows XP installation CD in the CD-ROM drive), and after you accept the Microsoft 


oe and elnegessaly Windows XP Licensing Agreement, Setup displays the page shown in the following figure. 


during Windows XP setup. This option is only appropriate if you are willing to overwrite all 
programs, settings, and files on the computer’s hard disk. 
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Windows &P Professional Setup 
The following list shows the existing partitions and 
unpartitioned space on this computer. 
Use the UP and DOWN ARROW keys to select an item in the list. 


* To set up Windows KP on the selected item, press ENTER. 


* To create a partition in the unpartitioned space. press 


* To delete the selected partition. press D. 


46955 MB Disk @ at Id @ on bus @ on atapi [MBR] 
Unpartitioned space 46955 MB 





ENTER=Install C=Create Partition F3=Quit 


Figure 2.4 Configuring partitions during Windows XP Setup 





To size a partition during Windows XP Setup 


1. The example in the previous figure shows a single hard disk that has 40 GB of 
unallocated space. To create a partition, press C to display the page shown in the 
following figure. This page shows the minimum and maximum size you can designate 
for a new partition. 


2. Type the appropriate size in MB for the partition you want to create and then press 
ENTER. For example, to create a 36 GB partition, you would type 36864 (36 * 1024). 
Leave the remaining space unallocated for use by Windows Disk Protection. 


3. Use the arrow keys to select the partition into which to install Windows (if it is not 
already selected) and then press ENTER. 


4. Use your arrow keys to select Format the partition using the NTFS file system (Quick) 
and then press ENTER. 


5. Windows XP Setup copies the necessary installation files, and then restarts your 
computer. Continue with the installation of Windows. 











Important Windows KP Professional Setup 
Only create the C: partition You asked Setup to create a new partition on 
during Windows installation. 40955 MB Disk @ at Id @ on bus @ on atapi [MBR]. 
Create an optional persistent : 
tie 3 e To create the new partition. enter a size below and 
partition using the Disk eae bee 
Management tool after the To go back to the previous screen without creating 


. ; 3 . Le ptiti is ress ESC. 
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complete. The minimum size for the new partition is 8 megabytes 
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Figure 2.5 Creating a new partition during Windows XP setup 
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vw Note 


Local user accounts are used 
on stand-alone or workgroup 
computers. If the computer is 
a member of an Active 
Directory domain, see 
Chapter 10, “The Shared 
Computer Toolkit in Domain 
Environments,” for more 
information. 


Note 


Windows XP Professional also 
supports groups to which 
various permissions and 
rights can be granted, 
providing a much more 
flexible configuration of user 
accounts. However, for users 
of a shared computer should 
be given access only to 
limited user accounts 
whenever possible. 


Chapter 3: User Profiles 


Now that you have prepared the computer and installed the Microsoft® Shared Computer 
Toolkit for Windows® XP, it is time to address the needs of your users. To do this, you will 
create user accounts and then customize each user profile. 


In this chapter, you will learn how to: 

e Create local limited user accounts 

e Setup local user profiles 

e Optional activity: Customize the All Users Start menu 


e Optional activity: Customize a user’s Start menu 





Create Local Limited User Accounts 


The first step is to create accounts for the users of the computer. Depending on your 
environment, you can create: 


e Aseparate user account for each user. This solution is useful when you have relatively 
few users and each has different needs. When you have many users, creating 
separate accounts is unwieldy. You can either consolidate accounts (if users share 
common needs) or consider using an Active Directory® directory service environment 
instead. 


e Asingle user account to be used by all users. 


e A few categories of user accounts to be used by all users. For example, in a library 
setting, you might create one account for children and a different account for adults. 


How you structure accounts depends on your situation, but having fewer accounts typically 
means less management. 


If you plan to use a computer imaging or cloning approach in your environment, you could 
create a different user account for each type of computer. Then, after you clone the 
original computer multiple times, disable the accounts not used on each cloned computer. 
This will reduce the number of original computer images you need to manage. 


Windows XP supports two primary types of local user accounts: 


e Computer administrator. A computer administrator type account has the rights to 
install and uninstall software and device drivers, change Windows configuration 
settings, create and delete users, and change security settings. You will use an 
administrative account to manage Windows and the Toolkit options. 


e —_ Limited. A limited account does not, by default, have the rights to perform any of the 
actions listed for the administrator type account. By default, a limited user account 
can run programs, access the Internet and local network, change desktop settings, 
create folders and files, and perform other daily activities. 


When you create accounts, you should create limited user accounts. You will then use the 
Windows Restrictions tool in the Toolkit to further restrict the activities of those users. 
Giving users access to administrative accounts presents a number of security 
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J Note 

~ The User Profiles tool can 
create and delete user 
profiles, as described in 
Chapter 9, “Advanced 
Scenarios.” 


You can learn more about 


user profiles in Appendix A, 


“Technical Primer.” 


vulnerabilities. Sometimes, however, your users may want to run programs that require an 
administrative account to run properly. Many games fall into this category. In these 
situations, you might need to create administrator type accounts for certain users and 
then restrict those accounts (so that the users of those accounts have certain rights that 
are not granted to limited user accounts). You can learn more about this option in 
Chapter 9, "Advanced Scenarios." 








To create a new limited user account 
1. Logon using an administrative account. 


Click Start, and then click Control Panel. 
In Control Panel, double-click User Accounts. 


In the User Accounts window, click Create a new account. 


Ce ema. 


On the Name the new account page, type the name of the new user account, and then 
click Next. 


6. On the Pick an account type page, click Limited, and then click Create Account. 











Set Up Local User Profiles 


After you create local user accounts, the next step is to create and configure the user 
profiles for those accounts. To complete this process, you log on with the user accounts 
you have created, run programs for the first time, and configure Windows settings. 








To set up a local user profile 


1. Logon using one of the local user accounts you created. When you log on with an 
account for the first time, Windows automatically creates a new user profile. 


2. Perform first time setup activities for programs such as Microsoft Office and Windows 
Media Player so that your users will not have to. If you don’t run programs for the first 
time as each user, the users will have to perform this step themselves. This is 
problematic when you use locked profiles, because every user will have to repeat the 
steps when running the program. Configure important programs such as: 


¢ Microsoft Office. 

¢ Windows Media Player. 

¢ MSN Messenger. 

¢ MSN Games Loader. 

¢ Macromedia Flash. 

¢ Other programs or utilities needed on the shared computer. 
3. Configure any important settings such as: 

¢ Install and configure printers users will need to access. 

¢ Software and device driver settings the user may require. 

¢ Desktop settings such as wallpaper and screen saver settings 


4. Repeat steps 1-3 for each local user account. 











v) Note 


The idle logoff timer in the 
Windows Restrictions tool 
uses screen Saver settings. If 
you plan to set an idle logoff 
timer later for this user, don’t 
configure their screen saver 
now. 


» Important 

When you customize the All 
Users Start menu, remove 
access to utilities that users 
should not access, such as 
antivirus, antispyware, and 
disk utilities. 


Important 


Changes made to the All 
Users Start menu affect all 


users of the shared computer. 


Most programs install Start 
menu shortcuts in the All 
Users profile. 
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Optional Activity: Customize the All Users Start Menu 


By default, the Windows Restrictions tool enables the Windows Classic Start menu—a 
menu similar to that featured in previous versions of Windows. Using the Classic Start 
menu makes it easier to customize what programs appear on the Start menu for a user 
profile. 


You do not need to turn on the Classic Start menu manually, but you can arrange icons 
within the Start menu now so that they will appear in the right place after you run the 
Windows Restrictions tool later. 


Windows XP builds the Start menu for a user based on program shortcuts that are stored 
by default in two locations: 


e The \Documents and Settings\All Users\Start Menu folder. This folder contains 
program shortcuts that are included on the Start menu for all user accounts. 


e The \Documents and Settings\username\Start Menu folder. This folder contains 
program shortcuts that are specific to a particular user profile. 


Windows combines the contents of these two folders to generate the program shortcuts 
displayed on a user’s Start menu. To customize (and secure) the Start menus for users, 
you should first make sure that the All Users\Start Menu folder contains only those 
program shortcuts to which you want all users to have access. Later in this section, you'll 
customize the Start menu for the individual user profile. 


Some shared computer operators like to make sure that the All Users\Start Menu folder 
contains no programs and that the Start Menu folder for each profile includes the 
appropriate shortcuts instead. Note, however, that removing a shortcut from the Start 
menu does not necessarily make the program unavailable. For example, users could still 
double-click a .doc file to open Microsoft Word, even if a shortcut for Word is not available 
on the Start menu. 








To customize the programs that appear on the All Users Start menu 
1. Logon using an administrative account. 
2. Right-click the Start button and then click Explore All Users. Shortcuts located in the 


Start Menu folder appear directly on the Start menu. Shortcuts in the Programs folder 
appear on the Programs submenu of the Start menu. 


3. Use Windows Explorer to drag shortcuts to the Start Menu folder to make them 
appear directly on the Start Menu for all users. 





4. Drag other shortcuts to and from the All Users folders to suit your needs. 





Remove the following icons from the All Users Start menu so they are not available to the 
shared accounts you create: 


e Set Program Access and Defaults 
e Windows Catalog 

e Windows Update 

e Command Prompt 


e System Tools folder 
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J Note 

_ Replace any Windows 
Explorer shortcuts with My 
Computer shortcuts in the 
user’s Start Menu to avoid 
error messages if you plan to 


restrict access to the C: drive. 


Windows Explorer by default 
attempts to display profile 
folders, which are located on 
the C: drive. 





Optional Activity: Customize a User’s Start Menu 


Just as you can configure shortcuts that appear on the All Users Start menu, you can also 
configure the shortcuts that appear on the Start menu for an individual user profile. 








To customize the programs that appear on an individual profile’s Start menu 
1. Logon using an administrative account. 


2. Right-click the Start button and then click Explore. 


3. Inside the Documents and Settings folder, you will see a subfolder for each user 
profile on the shared computer. If you do not see folders for user accounts, you 
probably have not yet created the user profiles. To do so, log on as each user on the 
computer, as described in the "Set Up Local User Profiles" procedure covered earlier 
in this chapter. 


4. Use Windows Explorer to copy shortcuts to each user's Start Menu folder to make 
them appear directly on the Start menu for that user. 


5. Drag other shortcuts to and from each user's folder to suit your needs. 








Chapter 4: Windows Restrictions 


A Note The Windows Restrictions tool allows you to restrict user actions. By default, users who 

ae ee computer have limited accounts cannot install software or hardware, but can run programs they 
environments allow download or bring with them on a USB drive - potentially causing problems on the 
customers to use computer. With the Windows Restrictions tool, you can define restrictions for Microsoft® 
administrative accounts. Internet Explorer, the Microsoft Windows® XP operating system, the Start menu, and 


This is nota recommended —_gnecify what software is permitted to run. 
practice, but it can be 


improved upon. For more This chapter covers the following topics: 
information about this topic, 


é ee : 
endane *Rectaeean Set restrictions for a user profile 


Administrator Account" e Locking a profile 
section in Chapter 9, : 
“Advanced Scenarios.” ¢ General settings 


e Recommended restrictions 


e Optional restrictions 





Set Restrictions for a User Profile 





To set restrictions for a user profile 
1. Logon using an administrative account. 


2. Click Start, point to All Programs, point to Microsoft Shared Computer Toolkit, and 
then click Windows Restrictions. 


3. Click Select a Profile. 











Aino ds staat 


3) Microsoft Shared Computer Toolkit for Windows XP 


secre fe 


General Settings 
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Figure 4.1 The main screen of the Windows Restrictions tool. 
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J Note 
The Select a Profile to 
Restrict dialog box shows all 
user accounts configured on 
the shared computer, 
including those that are 
disabled. 








10. 


In the Select a Profile to Restrict dialog box, click the user profile that you want to 
restrict. 


Select the Lock this profile check box to prevent users from being able to change 
settings while logged on with the user account. You can read more about locking 
profiles in the following section, “Locking a Profile.” 


Select the Recommended Restrictions for Shared Accounts check box. This enables 
the most important restrictions. You can read a complete description of the settings in 
the “Recommended Restrictions for Shared Accounts” section of this chapter. 


In the General Settings section, type in the default home page and a proxy server if 
necessary. 


In the Session Timers section, set limits on the number of minutes the user can use 
the computer or be idle before a forced logoff. You can also choose to leave these 
options blank. 


Click Select Drives to Restrict and then restrict all of the drive letters to which the user 
should not have access. Microsoft highly recommends restricting access to the 
Windows partition where Windows and programs are installed (typically the C: drive). 


Click Apply to apply the selected restrictions to the user profile and continue working 
with the Windows Restrictions tool. Click OK to apply the selected restrictions to the 
user profile and close the Windows Restrictions tool. 








Locking a Profile 


The Lock this profile setting prevents people from being able to change the user profile 
when they are logged on. This setting is useful for user profiles that are shared by multiple 
people. If you select this check box, it will not take effect until you click OK or Apply. 


When a profile is locked, files that Windows generally stores on the user’s behalf (typically 
in the Documents and Settings \profile name folder) are not available when the next user 
logs on. Locked profiles increase the privacy of users and makes keeping a clean, 
standardized desktop much easier for operators of shared computers. 


Following are items that are not kept between logons when a profile is locked: 


e Internet history and cookies 

e = Favorites 

e Files stored on the desktop 

e Desktop wallpaper 

e Changes to application settings 
e §=6Accessibility changes 


e Start menu changes 





. Important 
Locked user profile folders 
are renamed from 
\Documents and 
Settings\user name to 
\Documents and 
Settings\user name.Orig. 
Use this new folder name to 
locate Start menu icons 
after the user profile has 
been locked. 


\ Important 


Clearing restrictions may 
have adverse, unintended 
effects and should only be 
done with extensive testing 
to ensure your environment 
does not become 
significantly less secure. 
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General Settings 


To get started, click Select a Profile and then, in the Select a Profile to Restrict dialog box, 
click the user profile that you want to restrict. 


In the General Settings section of the Windows Restrictions tool, you can define the 
following settings: 
e Home Page. This setting configures Internet Explorer to use a particular home 
page. 
e Proxy. You can specify an address for a proxy server—a server that provides 
Internet access (and often content-filtering services) to the computer. 
e Session Timers. You can configure two time restrictions to apply to users: 


oO Log off after__ minutes of use. This setting specifies how long users can 
use the computer before they are logged off automatically. 


oO Log off after__ minutes idle. This setting specifies how long users can be 
idle or inactive before they are logged off automatically. 


e Restrict Drives in My Computer. When you click the Select Drives to Restrict 
button, a dialog opens in which you can prevent this user from accessing one or 
more drives that are available through My Computer. 


e Restart at Logoff. This setting forces Windows to restart when a user logs off of 
the selected profile. 





Recommended Restrictions for Shared Accounts 


Because many of these restrictions work together to provide a more secure environment 
for shared accounts, it is better to enable all the restrictions in a category at once. For 
example, Windows XP Home Edition allows users to change passwords if they have access 
to Control Panel. This means you must use both the Prevent password changes restriction 
and the Remove Control Panel icon restrictions to effectively restrict password changes. 


Start Menu Restrictions 


In the Windows Restrictions tool, click the Start Menu Restrictions heading to expand the 
entire list of restrictions that you can configure for the Start menu. The following list 
describes the Start Menu Restrictions: 


e Disable right-clicking in the Start menu. Prevents the user from accessing 
shortcut menus by right-clicking on items in the Start menu. 


e Force the Classic Start Menu (better for shared accounts). The Classic Start Menu 
makes it easier for you to configure the programs available to a user on the Start 
menu. 


e Hide Control Panel, Printer, and Network Settings from Classic Start Menu. 
Removes these icons from the Start menu 


e Remove My Documents icon. Prevents users from accessing the My Documents 
folder through the icon on the Start menu. 


e Remove My Recent Documents icon. Prevents users from accessing recently 
opened programs through the icon on the Start menu. This helps to ensure that 
users cannot access programs to which they are denied access. 


Important 


Many of the Start Menu 
Restrictions remove the icon 
for a folder or program from 
the Start menu, but do not 
otherwise prevent access to 
the folder or program. For 
this reason, it is important 
that you use the other 
restrictions available in the 
Windows Restrictions tool to 
provide the best possible 
combination of restrictions. 
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Remove My Pictures icon. Prevents users from accessing the My Pictures folder 
through the icon on the Start menu. 


Remove My Music icon. Prevents users from accessing the My Music folder 
through the icon on the Start menu. 


Remove Favorites icon. Prevents users from accessing the Favorites folder 
through the icon on the Start menu. This helps to prevent unwanted access to the 
Internet. 


Remove My Network Places icon. Prevents users from accessing My Network 
Places through the icon on the Start menu, helping to prevent viewing shortcuts 
to other computers, printers, and network resources that My Network Places 
displays. 


Remove Control Panel icon. Prevents users from accessing the tools in Control 
Panel through the icon on the Start menu. 


Remove Set Program Access icon. Removes the Set Program Access and Defaults 
icon. 


Remove Connect To icon. Prevents users from connecting to network resources 
through the icon on the Start menu. 


Remove Printers and Faxes icon. Prevents users from accessing the Printers and 
Faxes window through the icon on the Start menu. 


Remove Help and Support icon. Prevents users from accessing the Help and 
Support window through the icon on the Start menu. Many help pages provide 
shortcut access to system tools and locations. 


Remove Search icon. Prevents users from using the Search tool through the icon 
on the Start menu to locate folders, files, and network resources to which they 
should not have access. 


Remove Run icon. Prevents users from using the Run dialog box to issue 
commands or start programs. 


Remove Frequently Used Programs list. Prevents the Start menu from displaying 
frequently-used programs. 


Remove Shut Down button. Prevents users from turning off or restarting the 
computer through the icon on the Start menu. 


General Windows XP Restrictions 
The following list describes the General Windows XP Restrictions: 


Remove CD Burning features. Prevents users from using the built-in features of 
Windows XP to copy information to a writable CD. 


Disable AutoPlay on CD-ROM drives. Prevents Windows from automatically 
displaying options (or taking particular action) when a user inserts removable 
media. 


Disable right-click in Windows Explorer. Disables the shortcut menu that appears 
when a user right-clicks an object in the Windows environment. 


Disable the Recycle Bin (to help ensure privacy between users). Helps to ensure 
that when a user deletes a file that subsequent users cannot access the file. 


Prevent access to some Windows Explorer features (such as Folder Options and 
Search). Prevent access to some Windows Explorer features. 
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Prevent access to the Taskbar. Prevents access to the Windows taskbar. 


Prevent access to the Command Prompt. Prevents users from accessing folders, 
files, and programs from the Windows command prompt. 


Prevent access to the Registry Editor. Prevents users from accessing tools that 
allow them to modify the Registry. 


Prevent access to Task Manager. Prevents users from accessing Task Manager, a 
utility that you can use to stop and start programs and processes, and shut down 
or restart the computer. 


Prevent access to printer configuration. Prevents users from changing printer 
connection settings on the computer. 


Prevent access to Microsoft Management Console utilities. Prevents users from 
using the MMC console to load snap-ins that can be used to alter the Windows 
environment. 


Prevent users from locking the workstation. Prevents users from being able to 
lock the computer. 


Prevent password changes (requires that Control Panel also be disabled). 
Prevents users from changing the password associated with the user account 
with which they are logged on. 


Internet Explorer Restrictions 
The following list describes the Internet Explorer Restrictions: 


Disable right-clicking in Internet Explorer. Prevents users from being able to 
perform advanced activities on Web content in Internet Explorer by right-clicking 
items. Some types of content can still be right-clicked, such as Macromedia Flash 
objects. 


Restrict Internet Explorer menu choices (such as Internet Options). Prevents users 
from accessing certain Internet Explorer menu commands, such as Internet 
Options. 


Restrict Internet Explorer toolbar buttons (such as Search and News). Prevents 
users from accessing certain toolbar buttons, such as News. 


Microsoft Office Restrictions 


You can use the Windows Restrictions tool to apply restrictions that apply to Microsoft 
Office 2000, XP, and 2003. The following list describes the Microsoft Office Restrictions: 


Disable Visual Basic for Applications (VBA). Prevents users from accessing VBA 
tools in Office programs. 


Disable macro shortcut keys. Prevents users from running macros using shortcut 
keys in Office programs. 


Disable Tools | Macro menu items. Prevents users from accessing macro 
commands in Office programs. 


Disable Tools | Add-Ins menu items. Prevents users from enabling and disabling 
add-in programs in Office programs. 


Disable the Web toolbar. Prevents users from enabling the Web toolbar in Office 
programs and being able to view files and folders on restricted drives. 


Important 


Some games (such as Halo 
PC) and other programs that 
use copy protection do not 
work properly when 
Software Restriction Policy 
is selected. To use those 
games, you must not use 
Software Restriction Policy. 
Keep in mind, though, that 
turning off Software 
Restriction Policy 
significantly weakens the 
security for the profile. 
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e Open Office documents in the appropriate Office program instead of Internet 
Explorer. By default, when a user clicks a link in Internet Explorer to a Microsoft 
Office document, the document opens in an Internet Explorer window. This 
restriction forces Office documents to open with the appropriate Office program 
instead. Selecting this option helps to prevents users from using Internet Explorer 
to gain access to restricted areas of the file system. 


e Disable Detect and Repair from Help menu. Prevents users from running the 
Detect and Repair command in Office programs. 


e Prevent changes and imports to Clip Organizer. Prevents users from accessing the 
Clip Organizer in Office programs. 


Software Restriction Policy 


Software Restriction Policy comprises important security settings that can help you restrict 
system tools and third-party software from running. For increased security, ensure that all 
of these restrictions are selected. If these restrictions are not selected, users may find 
ways to bypass other restrictions set using the Toolkit. For example, even a limited user 
might be able to edit the registry to allow a user account access to the Internet, restricted 
drives, or even the command prompt. 


The following list describes the restrictions within the Software Restriction Policy list: 


e Prevent all software outside of the Program Files and Windows folders from 
running. Prevents users from being able to run programs that are not in the 
Program Files folder or the Windows path, such as downloaded programs or 
programs on USB Drives. 


e Prevent default System Tools from running. Blocks system tools such as Disk 
Defragmenter and ScanDlsk from running. 


e Block Windows Management tools that an administrator could use to bypass 
Toolkit security. Prevents users from accessing certain administrative tools. This 
setting is especially important for restricting administrative accounts. 





Optional Restrictions 


The following list describes the restrictions within the Additional Microsoft Program 
Restrictions list: 


e Prevent Internet Access. This setting prevents the user from accessing the 
Internet with any programs that use the Internet Explorer proxy settings. When 
you enable this restriction, the Proxy setting is automatically configured as 
NolnternetAccess. 


e Prevent Internet Explorer from running. This setting prevents Internet Explorer 
from running at all. 
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e Prevent Windows Messenger from running. This setting prevents the user from 
being able to use Windows Messenger or MSN Messenger. Note that this setting 
prevents users from running Windows Messenger directly from its icon, but does 
not prevent users from running Messenger from a Web-based interface like MSN 
Web Messenger. To prevent access to a Web based service, you will need to add 
the URL of the service to the blocked URL list in Internet Explorer. 


e Prevent Microsoft Office programs from running (default Program Files 
installation). This setting prevents the user from running any Microsoft Office 
programs. For this setting to work properly, Microsoft Office must be installed in 
the default location, which is C:\Program Files\Microsoft Office. 


The following list describes the restrictions within the Start Menu Program Icon 
Restrictions list: 


e Remove All Users programs from the Start menu Programs icon. This setting 
prevents any icons located in the All Users Start menu folder from displaying in 
the user’s Start menu. 


Chapter 5: A Restricted User 
Experience 





Although the tools in the Microsoft® Shared Computer Toolkit for Windows® XP are 
primarily used by shared computer operators, the purpose of the tools is to enhance the 
user experience. 


This chapter covers the following topics: 
e =6Atypical restricted desktop 
e How to test restricted user profiles 
e Online Resources for using public computers 


e The Accessibility tool 





| A Typical Restricted Desktop 


If you create, configure, and restrict user profiles, you can provide a controlled, consistent 
experience for users. The following figure shows the Start menu for a user profile that has 
been restricted to show only selected program shortcuts. 
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Figure 5.1 A restricted Start menu 
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How to Test Restricted User Profiles 


Before you turn on Windows Disk Protection, you should take the time to test each user 
account and user profile to make sure that the configurations and restrictions work 
properly. To test a user account, log on to the computer with the user account and verify 
that: 


e Start menus appear correctly. 
e Programs on the Start menu work correctly. 
e No license agreements or other first-time setup screens are offered. 


e Programs to which users should not have access do not appear on the Start 
menu. 


e Windows Restrictions that you have configured for the desktop, Start menu, and 
Internet Explorer work properly. 


e Any user session timeouts that you have applied work properly. 


e =6The Accessibility tool is located directly on the Start menu so that it is available to 
users who may need it. 


e The New User Resources link is located directly on the Start menu so that it is 
available to all users. 


The problems that you discover when you test a user account can usually be resolved with 
one of the following approaches: 


e Select additional restrictions in the Windows Restrictions tool to prevent 
unintended access to system resources. This can be performed on a user profile 
that is restricted and locked. 


e = Clear restrictions in the Windows Restrictions tool if some programs cannot run 
because of the restrictions. This can be performed on a user profile that is 
restricted and locked. 


e Add or delete program icons from the user’s Start menu and the All Users Start 
menu if the user’s Start menu icons are incorrect. This can be performed using 
Windows Explorer from an administrative account, even if the profile is restricted 
and locked. 


e Change the settings of a user profile while you are logged on as the user. This can 
only be performed on a user profile that is unrestricted and unlocked. 








To change user profile settings that require you to log on as the user 
1. 


Log on using the Toolkit account, the administrative account with which you installed 
the Toolkit. 


Start the Windows Restrictions tool. Clear the Lock this profile check box, and then 
remove all restrictions, including the Restrict Drives in My Computer setting in the 
General Settings section. Make a note of the restrictions that you removed so that you 
can re-apply them later. 


Log off and then log on as the user account. Make the required configuration settings. 
Log off and then log on again using the Toolkit account. 


Start the Windows Restrictions tool to lock the user profile (if it was locked before) and 
configure the same restrictions you had before. 


Log off and then log on again as the user and test the profile again. 


Repeat steps 1 to 6 as required until you correct the issue. 








J) Note 

a 
A shortcut to the Online 
Resources for Using Public 
Computers page is installed 
into the Start menu folder in 
the All Users profile. 
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8. If Windows Disk Protection has been on previously (this should not be the case yet if 
this is your first time using the tools), open it and select the option to Save changes 
with next restart, click OK, then click Yes to restart the computer. 








After you test each user account to ensure it works correctly with the restrictions 
configured, you are ready to turn on Windows Disk Protection by following the steps in the 
next chapter. 





Online Resources for Using Public Computers 


For users who are new to computers or to Windows XP, or new to using computers in 
public places, the Online Resources for Using Public Computers Web page provides a list 
of online resources with information about how to use Windows and to increase security 
and privacy. The page also features resources specifically for teenagers and young 
children. 


To access this page, users can click the Online Resources for Using Public Computers 
shortcut on their Start menu. 








The Accessibility Tool 


Windows XP provides a number of Accessibility options and utilities for users who have 
special needs—options that make the desktop easier to see and that make such input 
devices as the keyboard and mouse easier to use. 


The Toolkit provides easy access to certain Accessibility options so that users of a 
restricted account can still customize their Windows environment. When a user logs on, 
the user can simply click Start, and then click Accessibility to access the Accessibility 
window shown in the following figure. If a profile is not locked, settings made in the 
Accessibility window are saved to the user’s profile so that the user will have the same 
experience when they next use the computer. 
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Figure 5.2 The main screen of the Accessibility tool 
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Users can configure the following options in the Accessibility window: 


Contrast. A selection of contrast options make high contrast desktop color 
schemes available, which improve readability for people who have impaired 
vision. 


Visuals. The options in this section include the following: 
o Extra Large Pointer increases the size of the Windows pointer. 


o Magnifier reserves the top of the screen to provide a magnified view of 
the area surrounding the Windows pointer. 


Keyboard and Mouse. The options in this section include the following: 


o StickyKeys allows a user to use key combinations (Such as CTRL+ESC) by 
pressing one key at a time instead of having to press the keys 
simultaneously. StickyKeys works for the CTRL, ALT, and DEL keys, in 
addition to the Windows logo key. When a user presses one of these 
keys, Windows registers the key as “pressed” until the user completes 
the key combination. 


o FilterKeys causes Windows to ignore repeated keystrokes, which is useful 
for people who have involuntary hand movements that cause them to 
press keys in rapid succession or hold a key longer than they intend to. 


o MouseKeys allows a user to use the numeric keypad on the keyboard to 
control pointer movements instead of (or in addition to) using a mouse. 


o On Screen Keyboard opens a software-based keyboard in an on-screen 
window. Users can press the keys on the keyboard by clicking them with 
their mouse or other pointing device. 


Sound. The options in this section include the following: 


o Narrator works with some programs by using a synthesized voice to read 
aloud text from the screen. 


o SoundSentry causes Windows to generate visual warnings when the 
system makes a sound, which is useful for users who are deaf or hard of 
hearing. You can have Windows flash the caption bar at the top of a 
window or dialog box, flash the active window itself, or flash the entire 
desktop. 


o ShowSound causes Windows to display an icon or a text note to indicate 
the particular sound that Windows makes. 





To use the Accessibility tool 





Click Start, and then click Accessibility. 


In the Accessibility window, either select a check box or press the letter or number 
key that corresponds to the style you want. 


Select as many options as you want to apply and then click OK. 


malware 

Malicious software, which 
includes viruses, worms, 
and Trojan horses, that is 
designed to harm a 
computer operating system. 


spyware 
Potentially unwanted 
software that may collect 
personal information and is 
inappropriate for shared 
computers. 


Important 


Before you turn on Windows 
Disk Protection, be sure that 
you have correctly prepared 
your hard disk and created, 
customized, and restricted 
the required user profiles as 
discussed in the previous 
chapters in the Handbook. 


Chapter 6: Windows Disk Protection 


The Windows Disk Protection tool protects the Windows operating system and program 
files from being permanently changed on a Windows partition. During a session, a user 
can make changes as necessary within the bounds of any restrictions placed on the user. 
When the computer restarts, Windows Disk Protection returns the Windows partition to its 
original condition, discarding any changes made during the user session. 


This tool helps protect computers from users who might attempt to damage the operating 
system, and it also prevents malware and spyware from tampering with the computer. 


Each time the computer restarts, Windows Disk Protection returns the partition that holds 
the Windows and program files (called the Windows partition) to its original state. This 
provides the next user with a standard and reliable experience. 


To turn on Windows Disk Protection, you must set up your hard disk with unallocated 
space or free space in an extended partition—this space will be reserved for use by the 
Windows Disk Protection tool. 


This chapter covers how to: 
e =Turn on Windows Disk Protection 
e Save changes when Windows Disk Protection is on 
e Retain changes when Windows Disk Protection is on 


e Retain changes indefinitely when Windows Disk Protection is on 





Turn On Windows Disk Protection 


The default behavior of Windows Disk Protection is to clear disk changes made to the 
Windows partition with each computer restart, thereby protecting the disk from unwanted 
changes. Operators can at any time choose to save changes made to the disk. Operators 
can also schedule Windows Disk Protection to download, install, and save critical updates 
to disk automatically while the computer is not in use. 








To turn on Windows Disk Protection and schedule critical updates 


1. Click Start, point to All Programs, point to Microsoft Shared Computer Toolkit, and 
then click Windows Disk Protection. The main window is shown in the following figure. 


In the Restart Action section, click Turn On. 


If Windows Disk Protection identifies antivirus software it knows how to update, it 
displays a dialog box to this effect. If you see this dialog box, click OK. 


4. Inthe Critical Updates section, configure the day and time at which Windows Disk 
Protection should download and install critical updates. 


Click Enabled to enable critical updates. 


If Windows Disk Protection did not detect your antivirus software, click Set to 
configure an antivirus script. You can configure other update scripts as needed. 


7. Click OK. 


8. Windows Disk Protection displays a message that states that the computer must be 
restarted for the changes to take effect. Click Yes to restart the computer. 
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Figure 6.1 The main screen of the Windows Disk Protection tool 


The default mode for Windows Disk Protection is to Clear changes with each restart. This 
mode ensures that untrusted users and malware cannot save any disk changes to the 
Windows partition of the computer. When the computer restarts, all disk changes that 
were made are removed, and the computer returns to its previous state. 


Critical Updates 


When you turn on Windows Disk Protection, it will continue to install critical updates using 
the Automatic Updates schedule you may have configured previously. It will use Windows 
Update, Microsoft Update, or Windows Server Update Services; depending on which of 
these is currently used by Windows. You can enable or disable critical updates and set the 
schedule to suit your needs when you turn on Windows Disk Protection. 


When Windows Disk Protection downloads and installs critical updates, it will log off and 
lock out users to prevent unapproved disk changes from being saved at the same time. 


In addition to being able to save Microsoft critical updates automatically, Windows Disk 
Protection allows a script you select to save antivirus updates or even updates for other 
programs. 


Windows Disk Protection will offer to perform antivirus signature updates automatically as 
part of the critical updates process if it detects an antivirus product it knows how to 
update. The Toolkit currently detects and includes scripts for updating the following 
antivirus products: 


Important 

Restart the computer once 
before you change the 
Windows Disk Protection 
mode so that the tool can 
clear all past changes. 


Important 

The Retain changes for one 
restart mode remains in 
effect for only one restart. 
When the computer 
completes the restart, the tool 
will return to the default Clear 
changes with each restart 
mode. 
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e Computer Associates Etrust 7.0 
e McAfee VirusScan 2005 


If you have another antivirus product, you will need to prepare a signature update script 
for it as described in your antivirus software manual. Look for sections that describe the 
command-line tools that perform signature updates. 


Alternatively, check the Microsoft Windows Shared Access newsgroup to see if anyone 
else has already created a signature update script for the antivirus software you have. 


Other Updates 


Windows Disk Protection only automates critical updates—it does not automatically install 
recommended updates, optional updates, driver updates, or special updates that may 
have their own license agreements. Review the updates available on Microsoft Update 
periodically, download and install the ones you want, and use the Windows Disk Protection 
tool to save changes to disk. 





Save Changes When Windows Disk Protection Is On 


When Windows Disk Protection is on, you must take special actions to make changes to 
the disk. Such changes include installing a program, adding a user account, or configuring 
system settings for users. When Windows Disk Protection is off, to install a program, you 
simply log on to the computer using an administrative account, install the program, and 
then make sure that the program shortcut appears on the appropriate Start menus. 


Sometimes, you will need to add a program to a computer permanently. Although you 
could accomplish this by turning off Windows Disk Protection long enough to install the 
program, this action requires that you remember to turn on Windows Disk Protection when 
you finish installing the program. A better approach is to use Save changes with next 
restart. 





To make changes when Windows Disk Protection is on 
1. Restart the shared computer to ensure recent disk changes are cleared. 


2. Logonas the Toolkit administrator. 


3. Click Start, point to All Programs, point to Microsoft Shared Computer Toolkit, and 
then click Windows Disk Protection. 


4. Click Save changes with next restart, and then click OK. A restart will not occur at this 
time. 


5. Make the required changes (such as installing software or changing a user profile) to 
the shared computer and then restart the computer. 


6. When the computer restarts, Windows saves your changes to the Windows partition 
and automatically returns to the default Clear changes with each restart mode. 














Retain Changes When Windows Disk Protection Is On 


In some situations, users might need to install a program or make system changes that 
you do not want to keep on the computer permanently. 








To retain changes temporarily when Windows Disk Protection is on 
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Restart the shared computer to clear past disk changes. 
Log on as the Toolkit administrator. 


Click Start, point to All Programs, point to Microsoft Shared Computer Toolkit, and 
then click Windows Disk Protection. 


Click Retain changes for one restart and then click OK to exit the tool. 
Make the changes that you want, and then restart the computer. 


Allow the user to log on and use the computer. 


sla OD ay Olan 


After the user session, restart the computer again to undo changes to the Windows 
partition and automatically return to the default Clear changes with each restart mode 
for Windows Disk Protection. 








Important 





if you plan to Retain changes =» Retain Changes Indefinitely When Windows Disk Protection Is On 


indefinitely for extended 


periods, more unallocated This mode allows operators to accomplish tasks that can involve installing and testing 

disk space will be required several new programs. After you click Retain changes indefinitely, changes will continue to 
before Windows Disk accumulate on the computer until you click Save changes with next restart or Clear 
Protection is turned on. The changes with each restart. 

protection partition should . ; 2% . J : 

match the size of your The Retain changes indefinitely mode can be particularly useful if you need to install 
Windows partition to run in several new programs. For example, after this mode is enabled, you can install a new 

this mode indefinitely. program, test it for potential compatibility issues with the other programs on the computer, 


and then move on to installing other programs. 


Chapter 7: Security Checklist 


Computer and online security is a growing concern for all computer users, and is 
especially important if you provide public access to shared computers. Security issues 
often seem complicated and overwhelming, but fortunately there are some relatively 
simple steps that you can take to improve the security of your shared computer 
environment. This chapter covers the following topics: 


e Physical security 
e BIOS protection 

e Software updates 
e = - Firewalls 

e = Antivirus software 
e §=©Antispyware 

e Web filtering 





Toolkit Administrator Security 


e Use a strong password. Any administrative account, including the Toolkit Administrator 
account on a shared computer should have a strong password. Avoid practices such 
as using a common dictionary word, basing a password on your name, or using a 
common password such as “password” or “letmein”. Also avoid using a blank 
password for the Toolkit Administrator account. A strong password is: 


o Long. Passwords should be at least eight characters long, and longer is 
better. For the Toolkit Administrator password, consider using a password 
that is at least 15 characters long. 


o Complex. Passwords should use a combination of lower-case and upper-case 
letters, numbers, and symbols (for example,” ~!@#$%*%&*()_+-={} | 
[]\:";'<>2?,./ ora space character). 


e Use a passphrase instead of a password. In Windows XP, you can use a passphrase 
instead of a password. Passphrases can be long, complex, and easy to remember. 
Just make sure that you still use the same strong password rules mentioned 
previously. An example of a passphrase as “| taught my 3 old dogs 6 new tricks!” 


e Change the password regularly. Change passwords regularly and make them different 
from previous passwords. Just adding a number to the end of your regular password is 
not different enough. You should change administrative passwords monthly, if not 
more frequently. 


e = Visually differentiate the Toolkit Administrator account from other accounts. Make it 
easy to determine at a glance if a user is logged on with the Toolkit Administrator 
account. Use a different desktop background and even a different color scheme for 
menus and windows. If your shared user accounts use the classic Start menu (as is 
recommended), you could have the Toolkit Administrator account use the Windows XP 
Start menu. 


e Remove the Toolkit Administrator account from the Welcome screen. Use the 
Welcome command-line tool to remove the Toolkit Administrator account from the 
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Important 


If an untrusted user can start 
your computer from 
removable media, the 
computer is no longer yours. 
BIOS protections are critical 
security measures. 


Windows Welcome screen. At the Welcome screen, press CTRL-ALT-DEL to access the 
traditional logon dialog box, in which you can type the account name and password. 





Physical Security 


Keep computers visible. If the shared computers are intended for public access, make 
sure that you can see what users are doing. Although it is usually inappropriate to look 
over a user’s shoulder during a session, you should at least be able to see whether 
the user is trying to open the computer case. 


Lock computers. Use locks on computer cases to ensure that users cannot open the 
cases. This prevents users from being able to open the case to add or remove 
components, or install monitoring devices. Use locks to keep computers and other 
devices attached to their tables or desks. Use optical mice instead of ball mice so that 
users cannot take the mouse ball. Also, if you provide headphones to users, secure 
the headphone cable to the computer case to help prevent theft or vandalism. 


Perform regular inspections. After a user finishes using a computer, inspect the 
computer and peripherals for any signs of tampering. Some monitoring devices attach 
to a parallel port or inline with a keyboard cable. 


Mark computers. Consider using an etching tool to mark the inside of computer cases 
with information that identifies the computer and your organization. Also record the 
model and serial numbers of computers and peripherals. 





BIOS Protection 


Update the BIOS. Ensure that your shared computer is running the latest BIOS version 
available from the manufacturer of the computer before you install Microsoft® 
Windows® XP. 


Password protect the BIOS configuration. This protection requires that a user enter a 
valid password to access the computer’s BIOS setup screens. 


Prevent startup from removable media. In the BIOS setup screens, disable the options 
that allow the computer to start from a CD-ROM, floppy disk, or removable USB drive. 
This will help ensure that users cannot start the computer with an alternate operating 
system and make changes to the computer. 


Use startup passwords if available. On some computers, the BIOS offers the ability to 
password protect starting of the computer from certain drives (most BIOS refer to this 
as a “boot” password). For example, you might be able to require a password for 
someone to start the computer using the floppy drive, CD-ROM drive, or even the hard 
drive. If you do not want to disable starting from removable devices, consider using a 
startup password. If a user can start using their own disk, they can usually circumvent 
any security measures you have in place. 





Software Updates 


Enable critical updates in Windows Disk Protection. Use the Windows Disk Protection 
tool to enable critical updates and schedule regular updates. For more information, 
see the "Critical Updates" section in Chapter 6, “Windows Disk Protection.” 
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e Check for updates with EULAs. Routinely (at least once a month) check for critical 
updates that require users to accept a EULA. Accept the EULA manually, and then 
save the changes to disk using Windows Disk Protection. 


e Check for recommended updates. Visit the Microsoft Update Web site monthly to 
check for recommended updates for Windows, Microsoft Office, and other software 
from Microsoft. 


e Update other software. Manually check for updates to third-party software. You should 
perform this check monthly. 





Firewalls 


e Use a perimeter firewall. Perimeter firewalls protect an entire network, blocking all 
traffic that isn’t explicitly allowed between the Internet and a local network. Firewalls 
can also hide the addresses of the computers behind your firewall, making individual 
computers on a local network invisible to the outside. A perimeter firewall might be a 
piece of hardware that you plug into your network or a program like Microsoft Internet 
Security and Acceleration (ISA) Server. 


e Use a local firewall. A local firewall is a program that you install on a computer to block 
unsolicited traffic coming into (and sometimes going out of) that computer. 
Windows XP with Service Pack 2 (SP2) comes with a local firewall called Windows 
Firewall that is enabled by default when you install SP2. 





Antivirus Software 


e Install reputable antivirus software. Antivirus software scans the contents of incoming 
e-mail messages (and files already on your computer) to detect virus signatures. If the 
software finds a virus, the software deletes or quarantines it. 


e Update the antivirus software regularly. Because hundreds of viruses are released 
each month, all antivirus software must be updated regularly with the latest signature 
definitions so that the software can catch the latest viruses. If you use the Windows 
Disk Protection tool, you can use a script that allows you to download and install 
updates to antivirus software and then save those changes to disk automatically as 
part of the critical updates process. 





Antispyware 


e = Install reputable antispyware software. Antispyware software regularly scans the 
shared computer for spyware that has been installed. Some antispyware software has 
components that run in the background to help detect spyware before it is installed or 
makes changes to the computer. 


e Update the antispyware software regularly. As with antivirus software, you must keep 
antispyware updated so that it can detect the latest spyware threats. Although the 
Toolkit does not include scripts that you can use to update antispyware software, you 
can use the techniques discussed in Chapter 6, “Windows Disk Protection,” to update 
antispyware software and save the updates to disk. 


48 Microsoft Shared Computer Toolkit for Windows XP Handbook 





Web Filtering 


e Configure content options in Internet Explorer. You can use the Content Advisor in 
Internet Explorer to restrict Web sites that users can visit. Content Advisor restricts 
sites based on ratings governed by the Recreational Software Advisory Council 
(RSACi). Although rating systems are not perfect, they can provide increased 
protection for users against offensive Web sites. 


e Consider Web-filtering software. Many companies offer products that filter Internet 
use based on a variety of criteria. Typically, these services are much more robust than 
the built-in Content Advisor in Internet Explorer. You can learn more about software 
vendors by browsing the Content Filtering category at the Windows Marketplace. 


Chapter 8: Troubleshooting 


If you have problems installing the Toolkit or using any of its tools, the following tips and 
troubleshooting instructions can help. This chapter covers the following topics: 


e Install and uninstall 

e Suspicious/malicious script-blocking security software 
e User accounts and profiles 

e Windows Restrictions 


e Windows Disk Protection 





Install and Uninstall 


The following are suggested solutions for possible problems that you might encounter 
when you install and uninstall the Toolkit. 


Windows requires that | validate my copy of Windows when | try to open a tool in the 
Toolkit. 


The Shared Computer Toolkit requires a validated copy of Windows XP. Windows 
checks for validation before it allows access to any of the tools in the Toolkit. After 
validation, you will no longer see this message. 


| tried to validate Windows by going to the Windows Genuine Advantage Web site, but was 
unsuccessful. 


You can learn more about genuine Microsoft software and find information about the 
validation process (including troubleshooting information) on the About Genuine 
Microsoft Software Web site. 


| cannot validate my copy of Windows because | do not have Internet access on the 
shared computer. 


The Toolkit requires that you have Internet access to validate your copy of Windows. 
Internet access is only required temporarily for validation—you can remove it again 
after validation has completed. 


| installed the Toolkit, but | do not see shortcuts for any of the tools on the Start menu - 
only shortcuts for the Accessibility tool and the Online Resources for Using Public 
Computers page. 


The Start menu icons for the Toolkit are only installed for Toolkit Administrator—the 
administrative user account under which you installed the Toolkit. You must log on as 
the user who installed the Toolkit to use the tools. 


After | uninstalled the toolkit, Windows displays Script Not Found errors for some users. 


Many functions of the Toolkit, such as timed logoff restrictions, require that the Toolkit 
be installed. To avoid this problem, remove restrictions and turn off Windows Disk 
Protection before you uninstall the Toolkit. To resolve this problem, reinstall the 
Toolkit, remove restrictions and turn off Windows Disk Protection, and then uninstall 
the Toolkit. 
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Note 

Microsoft is working with 
various security vendors to 
ensure that future releases of 
the Shared Computer Toolkit 
are recognized by their 
products as valid scripts so 
that these error messages are 
not generated. 


After | uninstalled the Toolkit, Windows Disk Protection no longer protects my disk from 
changes. 
Many functions of the Toolkit, including Windows Disk Protection, require that the 
Toolkit be installed. 
After | uninstalled the Toolkit, the AutoRestart tool no longer works. 


Many functions of the Toolkit, including AutoRestart, require that the Toolkit be 
installed. 

| closed a tool by clicking the Close button in the upper-right corner of the tool’s dialog box 

and now | can’t open the tool again. 
If you force a tool to close, Windows may not successfully close the MSHTA.EXE 
process used to display tools. Open Task Manager, click the MSHTA.EXE process, and 
then click End. After ending the process manually, you should be able to open the tool 
again. 

Automatic scrolling is sometimes very slow in the window for the Getting Started tool. 


It is likely that there is a problem with the video driver for the graphics adapter on the 
shared computer. Ensure that you are using the latest driver available for your device. 





Suspicious/ Malicious Script-Blocking Security Software 


The following are suggested solutions for possible problems that you might encounter if 
you run script-blocking software. 


My security software displays an error during installation of the Toolkit that states that it 
has blocked a suspicious or malicious script. 


Some security programs report installation of the Toolkit as a high-risk script. If you see 
this error during installation and your security software supports it, you should allow 
the script to run. 


Norton Antivirus or other script-blocking software displays pop-up messages that state 
that a malicious script has been detected when | run many of the tools in the Toolkit. 


Because many of the tools in the Toolkit are scripted, script-blocking software detects 
when the tools are used and warns you about the possibility of malicious scripts. The 
scripts used by the Toolkit are not malicious. There are two ways to handle this 
problem: 


e Disable script-blocking in your security software while you use the tools in the 
Toolkit. 


e If your script-blocking software supports it, tell the software to authorize the 
script and not to ask about the script again. If you do this, you should only see 
the pop-up messages appear the first time you use each script. 


Microsoft AntiSpyware or another antispyware program asks for approval before allowing 
“GetStarted.hta” to be added to Windows startup. 


The GetStarted.hta file opens the Getting Started tool each time you log on as the 
Toolkit administrator. In order for Getting Started to run on startup, you must allow 
your antispyware program to add the GetStarted.hta file to startup. 
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User Accounts and Profiles 


The following are possible problems that you might encounter when you configure user 
accounts and profiles for use on a computer and suggested solutions. 


Windows automatically logs on a particular user, even though | have not configured it to 
do so. 


If there is only one account listed in the Windows Welcome screen and that account is 
configured with a blank password, Windows automatically logs on with that user 
account. This is a feature of Windows, not of the Toolkit. To prevent this from 
happening, assign a password to the account or create another account. 


Users of the shared computer report that every time they run a program, they have to 
accept a licensing agreement- even if they have already done so in a previous session. 


There are two possible causes for this problem. The profile is locked or Windows Disk 
Protection clears the changes made by the user when the computer restarts. 


e To prevent this, run programs the first time for each user account before you 
lock profiles or turn on Windows Disk Protection. 


e To solve this problem if it occurs, restart the computer, select Save changes 
with next restart in Windows Disk Protection, clear the Lock this profile check 
box, log on as the user, run the program, and then restart the computer. 


Users report the following error when they log on: “This operation has been cancelled due 
to restrictions in effect on this computer. Please contact your system administrator.” 


This error message occurs because Windows Restrictions is configured to block 
access to the C drive and the user’s profile is stored on the C drive. The error appears 
when Windows Explorer attempts to access special folders (Such as My Documents 
and My Music) that are located on that drive. To resolve this problem, remove the 
Windows Explorer shortcut from the Start menu and replace it with a shortcut to My 
Computer. 


The Create Profile button does not display in the User Profiles tool. 

The user profile already exists. Delete the user profile if you want to create a new one. 
The Delete Profile button does not display in the User Profiles tool. 

The user profile does not exist. 


Icons that do not exist in the Start menu folder of a user’s profile display on the user’s 
Start menu. 


Windows XP build a user’s Start menu by combining icons in the Start menu folders of 
the All Users profile and the individual user’s profile. The icons on the user’s Start 
menu likely exist in the All Users Start menu folder. 


| installed a new program and, during installation, | selected the option to make the 
program available to all users. The shortcut appears on some user’s Start menus, but not 
on others. 


Installation programs typically install shortcuts to the Start menu folder for the All 
Users profile. The accounts on which the shortcuts do not appear are likely restricted 
to prevent the user’s Start menu from showing icons from the All Users Start menu 
folder. 
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When | create a new user profile, the profile disappears after | restart the computer. 


Windows Disk Protection clears changes made to the hard disk when the computer 
restarts. You must either use Windows Disk Protection to select the Save changes 
with next restart mode or create the user profile on a persistent partition. To do this, 
you must create a partition that is separate from the Windows partition that is 
protected by Windows Disk Protection. 


The shared computer has some programs that cannot be run by a limited user account 
because they require an administrative account. 


Although not a recommended scenario, it is possible to restrict an administrative 
account so that users can run such programs. For more information, see the “Restrict 
an Administrative Account” section in Chapter 9, “Advanced Scenarios.” 





Windows Restrictions 


The following are suggested solutions for possible problems that you might encounter 
when you use the Windows Restrictions tool. 


| used the Windows Restrictions tool to change settings, but after | restart the computer, 
those changes are not there. 


Windows Disk Protection clears changes made to the hard disk when the computer 
restarts. You must either use Windows Disk Protection to select the Save changes 
with next restart mode or create the user profile on a persistent partition. 


The Getting Started tool displays an error that states “Software Restriction Policy on this 
computer does not apply to administrative accounts." 


This warning appears only on computers where Software Restriction Policy has 
previously been configured on the computer so as not to apply to Administrators. The 
installation of the Toolkit creates several Software Restriction Policy registry keys. One 
key in particular, the PolicyScope key, defines whether Software Restriction Policy 
applies to everyone (administrators included) or just users. If this key has previously 
been set to “just users,” the Toolkit installation does not apply Software Restriction 
Policy to administrators. This helps to ensure that the Software Restriction Policy does 
not inadvertently restrict administrator accounts. 


Users report that they are not able to change settings in Windows even though Windows 
Disk Protection is on. 


You have likely used the User Profiles tool to lock the user profile. 


| used Windows Restrictions to disable Internet access for a user, but the user can still use 
Internet Explorer to access the Internet. 


The shared computer is likely set to configure its proxy server settings automatically 
and is drawing those settings from the network proxy server - overriding the Disable 
Internet Access restriction (which works by setting Internet Explorer to using no proxy). 
In the Internet Options dialog box, on the Connections tab, click LAN Settings. In the 
Local Area Network (LAN) Settings dialog box, clear the Automatically Detect Settings 
check box. Note that you may need to remove restrictions from the user profile and 
set Windows Disk Protection to save changes before performing this action. 
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| set the restriction to prevent Microsoft Office Programs from running, but users are still 
able to run Microsoft Office programs. 


Most likely, Microsoft Office is not installed in the default location. This restriction 
works by preventing programs in C:\Program Files\Microsoft Office from running. If 
Microsoft Office is installed in another folder, the restriction will not work. 


Some games (such as Halo PC or Call of Duty) and other programs that use copy 
protection do not work properly when Software Restriction Policy is turned on. 


The Software Restriction Policy can prevent some copy-protected games from running. 
To use those games, you must not use Software Restriction Policy. Keep in mind, 
though, that turning off Software Restriction Policy significantly weakens the security 
for the profile. 





Windows Disk Protection 


The following are suggested solutions to possible problems that you might encounter 
when you use Windows Disk Protection. 


| cannot turn on Windows Disk Protection. 


Make sure that the shared computer is prepared to use Windows Disk Protection. For 
more information, see Chapter 2, “Prepare the Disk for Windows Disk Protection.” 


Windows displays a message that states “Enhanced Write Filter is committing changes to 
disk” 


This message is expected and appears when you use Windows Disk Protection to 
Save changes with next restart. 


After | turn on Windows Disk Protection, restart the computer, and log on as an 
administrator, Windows displays an error message that states that it has finished 
installing new devices and requires that the computer be restarted. This continues to 
happen through successive restarts. 


This problem can occur when Windows makes changes to the system after you turn 
on Windows Disk Protection. You should open Windows Disk Protection, select the 
Save changes with next restart mode, and then restart the computer. If the problem 
prevents you from logging on or accessing Windows Disk Protection, press F8 before 
Windows startup to access the Advanced Startup Options screen. Select the 
Enhanced Write Filter Restore Mode option to allow Windows Disk Protection to save 
changes to the disk. 


When | log on to the shared computer, Windows displays a message that a critical update 
requires that | accept a licensing agreement. Even when | accept it, | see the same 
message the next time | restart the computer and log on. 


Windows Disk Protection clears changes made to the hard disk when the computer 
restarts, including the installation of the update. The scheduled update feature of 
Windows Disk Protection cannot automatically accept a licensing agreement. You 
should restart the computer, log on as an administrator, configure Windows Disk 
Protection to Save changes with next restart, install the update, and then restart 
Windows. 


When | run Windows Disk Protection, Windows prompts me to restart the computer. 


Windows Disk Protection requires that the computer be restarted once after 
installation before you can turn on the tool. This is by design. 
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| installed a new hard disk on the shared computer and used partitioning software to 
move Windows to the newer, bigger hard disk. Now, Windows Disk Protection is not 
working. 


If the disk partition on which Windows is stored on a shared computer changes after 
Windows Disk Protection is turned on, you will need to turn off Windows Disk 
Protection and then turn it back on. 


Windows Disk Protection seems to protect the files in the Windows directory just fine, but 
doesn’t protect my system partition. The boot partition and system partition are separate 
partitions on the shared computer. 


Most computers running Windows XP use a single disk partition to hold the system 
and boot partitions for the computer. In this circumstance, Windows Disk Protection 
protects the system and boot partitions. If the system and boot partitions are on 
separate disk partitions, Windows Disk Protection protects only the boot partition, 
which holds the %Windir% directory—the system partition is not protected. 


Chapter 9: Advanced Scenarios 


This section of the Handbook focuses on advanced scenarios that might fit your needs 
when you manage a shared computer environment. Specifically, this section contains 
information about how to: 


e Store persistent user data 

e Configure a User Start menu to not use the All Users Profile 
e Restrict a shared administrative account 

e Block Microsoft® ActiveX® controls in Internet Explorer 

e Use simple site filtering to control Internet access 

e Use acentral script for common client updates 

e ~=Restrict children on a family computer 

e = Add third-party software restrictions 

e Create a mandatory profile for multiple users 


e Image or clone a Toolkit-secured computer 





Store Persistent User Data 


On some shared computers, you may want users to be able to customize their user profile 
or store data, and have these changes not be discarded by Windows Disk Protection when 
the computer restarts. There are two ways to store persistent user data: 


e Create a partition that is separate from the Windows partition that Windows Disk 
Protection protects. Use this separate partition to store user profiles and other 
user data. The advantage of using this method is that you can allow persistent 
user profiles while still protecting the shared computer with Windows Disk 
protection. 


e Use a USB drive or network location to allow the storage of persistent user data. 
This method allows users to save data they create, but does not provide a good 
way to store persistent profiles. 


Storing Persistent User Data on a Separate Partition 


You can create a new partition to hold persistent data by using the Disk Management tool 
in Windows XP. To create a new partition in this manner requires that you have enough 
unallocated disk space with which to create the partition, and that the new partition not 
take away from the unallocated space required to use the Windows Disk Protection tool. 
After you create a new partition, you can use the User Profiles tool to create user profiles 
on the new partition instead of in the default location on the Windows partition. 


Create a New Partition with the Disk Management Tool 


You can use the Disk Management tool in Windows XP to create a new partition from 
unallocated space. 
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user profile 


A collection of folders, files, 


and configuration settings 
that define the user’s 
environment. 








To create a new partition by using the Disk Management tool 

1. Inthe Disk Management window, right-click the unallocated space on the disk on 
which you want to create a partition, and then click New Partition. 
On the Welcome page of the New Partition Wizard, click Next. 


On the Select Partition Type page of the wizard, accept the default option for Primary 
partition, and then click Next. 


4. On the Specify Partition Size page of the wizard, determine the amount of unallocated 
space that you want to use to create the new D volume. Make sure that you leave 
enough unallocated space to at least match the size of the Windows partition, or 
1 GB—whichever is greater. 


5. On the Assign Drive Letter or Path page of the wizard, accept the default 
recommendation for assigning a drive letter, and then click Next. 


6. On the Format Partition page of the wizard, accept the default settings to create the 
new partition, click Next, and then, on the final page of the wizard, click Finish. 





Create Persistent Profiles with the User Profiles Tool 


A user profile is a collection of folders, files, and configuration settings that define the 
environment for a user who logs on with a particular user account—each user account has 
an associated profile. Typically, a user profile is not created until the first time that a user 
logs on to the computer with a new user account. When this logon happens, Windows 
automatically creates a new user profile for that user account. 


The User Profiles tool lets you create and delete user profiles for existing user accounts. 
You can also create the profiles on alternative partitions. 








To create or delete persistent user profiles by using the User Profiles tool 
1. Logon using an administrative account. 


2. Click Start, point to All Programs, point to Microsoft Shared Computer Toolkit, and 
then click User Profiles. 


3. Inthe User Profiles window (shown in the following figure), click Select an Account. 


In the Select an Account to Manage window, click the user account you want to 
manage. 


In the User Password box, type the password for the user account. 
Perform one of the following options: 


. To create a profile for the user account, select the drive on which to create the 
partition from the Profile Location drop-down menu, and then click Create Profile. If 
you do not see this button, a user profile already exists for the user account. 


7 To delete a user profile for the account, click Delete Profile. If you do not see this 
button, a user profile does not yet exist for the user account. 


. To open the User Accounts window to create and manage local user accounts, 
click Manage Users. 


7. After you finish, click Close. 
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Note 


There are certain settings that 
must be unique to each 
computer, such as the 
computer name. To answer 
this need, Windows Setup 
Manager allows the creation 
of a file called a uniqueness 
database file (UDF), which is 
used in conjunction with the 
standard answer file. The UDF 
contains the settings that are 
unique to each computer. 


Note 


If users share a USB drive or 
network location, there is no 
way to keep documents 
private. Users of the same 
shared account will be able to 
view each others’ files. 
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Figure 9.1 Use the User Profiles tool to create and delete user profiles. 


Change the Default Location Where User Profiles are Installed 

It is possible to change the default location where user profiles are installed, but the only 
way to make this change is during Windows XP installation, and you must make the 
change by automating the installation of Windows with a special answer file. This method 
changes the location where al! user profiles are stored, including the Default and All Users 
profiles. This allows you to have Windows automatically create profiles on a persistent 
partition instead of having to use the User Profiles tool to specify the location of profiles as 
they are created. 


At several points during a standard installation, Setup requires that the user provide 
information, such as the time zone, network settings, and so on. One way to automate an 
installation is to create an answer file that supplies the required information. Answer files 
are text files that contain responses to some, or all, of the questions that Setup asks 
during the installation process. After creating an answer file, you can apply it to as many 
computers as necessary. 


The easiest way to create an answer file for an unattended installation of Windows XP is to 
use Windows Setup Manager, a deployment tool that provides a wizard-based interface for 
creating the answer file. For more information about using Setup Manager to automate 
installations, see Automating and Customizing Installations. 





After you create an answer file, you can change the default location where user profiles 
are stored by adding the following entry to the unattend.txt file: 


[GuiUNattended] 
ProfilesDir = drive:\foldername 


Using Removable USB Drives or Network Locations 


Windows XP provides the ability to redirect the My Documents folder (typically stored 
within a user’s profile) to a different location. If you use Windows Disk Protection, but still 
want to provide users with the ability to save documents, you can redirect the My 
Documents folders to a removable drive such as a USB drive or to a network location. 








To redirect a user’s My Documents folder to a USB drive 
1. Restart the computer to clear recent disk changes. 


2. Logonas the Toolkit administrator. 


3. If Windows Disk Protection is turned on, start the Windows Disk Protection tool, click 
Save changes with next restart and then click OK. 
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10. 


11. 


12. 


13. 


14. 


15. 


Start the Windows Restrictions tool. 


Disable restrictions for the user account for which you want to redirect the My 
Documents folder. This step is necessary if restrictions prevent the user from right- 
clicking. 


Log off and then log on using the user account for which you want to redirect the My 
Documents folder. 


Insert a USB drive and wait for Windows to recognize it. 
Click Start, right-click My Documents, and then click Properties. 
In the My Documents Properties dialog box, click Move. 


In the Select a Destination dialog box, click the USB drive or network location and 
then click OK. 


In the My Documents Properties dialog box, click OK. 


Windows displays a Move Documents dialog box that asks whether you want move 
documents from the old location to the new location. Click Yes to move the 
documents or No to leave the existing documents in the old location. 


Log off and then log on as the Toolkit administrator. If you disabled any restrictions in 
Step 1, re-enable those restrictions now. 


Restart the computer to allow Windows Disk Protection to save changes and revert to 
the default Clear changes with each restart mode. 


Log on as the user and test the My Documents folder and any restrictions placed on 
the user. 











Configure a User Start menu to Not Use the All Users Profile 


One of the optional restrictions available in the Windows Restrictions tool allows you to 
prevent Windows from including shortcuts from the Start menu for the All Users profile 
from being displayed in the Start menu for individual user profiles. This restriction allows 
you optimal control over what appears on Start menus, but also requires a bit more work 
to configure properly. In particular, you will address two added concerns: 


e When you set up a user profile that will use this restriction, no shortcuts appear 
by default in the user’s Start menu. You must use Windows Explorer to copy the 
shortcuts that you want from the Start menu of the All Users profile. Steps for 
accessing these folders in Windows Explorer are covered in Chapter 3, “User 
Profiles.” 


e When you install new programs on the shared computer, the installation program 
will create shortcuts in the Start menu of the All Users profile. To have the 
shortcuts appear on the Start menus for individual users, you must copy the 
shortcuts from the All Users Start menu to the user's Start menu. In addition, if 
Windows Disk Protection is turned on, you will need to configure it to retain 
changes when you copy the shortcuts. For more information, see Chapter 6, 
“Windows Disk Protection.” 





wv Note 


You can find a list of third- 
party programs that do not 
work with limited user 
accounts in the Certain 
Programs Do Not Work 


Correctly If You Log On Using 
a Limited User Account 
article. 


Important 


Because local 
administrative accounts 
have access to 
administrative tools, a user 
who logs on with a shared 
administrative account 
could possibly disable 
restrictions provided by the 
Toolkit, including deleting 
the overlay partition used by 
Windows Disk Protection. 
Although the Toolkit can 
help restrict an 
administrative account, it 
cannot remove all security 
risks associated with using 
such an account. 
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Restrict a Shared Administrative Account 


Microsoft strongly recommends that you only allow users of the shared computer to log on 
with limited user accounts. This helps to ensure limited access to computer resources and 
provide the most secure environment. When using a limited user account, users will not 
have access to any administrative tools and privileges through which they could introduce 
unwanted changes to the operating system and programs. 


However, there are some third-party programs that have not been properly designed to run 
using a limited user account and do not meet Windows XP logo requirements. Instead, a 
user must log on with a shared administrative account to run the programs. Although it is 
better to avoid such programs and use only limited user accounts, this is not always 
possible and you may need to allow users to log on with administrator accounts. This 
scenario is particularly true in locations such as Internet gaming cafes because many 
Internet-based and network-based multiplayer games require an administrative account to 
run. Some older educational programs experience similar problems. 


If you have software with this administrative account limitation, take the following steps: 


e Investigate if the software can be upgraded to a version that runs correctly with 
limited user account privileges on Windows XP. 


e = Investigate if the software can be replaced with another product that runs 
correctly with limited user account privileges on Windows XP. 


e Investigate if the software can be removed from your environment with a limited 
impact on your business needs. 


If you cannot accomplish all of these steps, you might find it necessary to allow some 
users to use a Shared administrative account to use certain programs. 


If this is true in your environment, you can use the Windows Restrictions tool and the 
Windows Disk Protection tool together to help restrict the activities of these shared 
administrative accounts and increase the security of the computer. However no solution 
will provide 100 percent protection from administrative accounts. 


To restrict a shared administrative account 
41. Logon as the Toolkit administrator. 


2. Click Start, point to All Programs, point to Microsoft Shared Computer Toolkit, and 
then click Windows Restrictions. 


3. Inthe Windows Restrictions window, click Select a Profile. 


In the Select a Profile to Restrict window, click the shared administrator account you 
want to restrict. 


5. Inthe Windows Restrictions window, in the General Settings section, click Select 
Drives to Restrict. 


6. Inthe Select Drives to Restrict window, click Restrict All. If absolutely necessary, you 
could allow access to removable or network drives to which the user might need 
access. However, it is more secure to leave all drives restricted. Click OK. 


7. Inthe Windows Restrictions window, select the Recommended Restrictions for Shared 
Accounts check box. Be sure to leave all of the restrictions selected; clearing any of 
the restrictions creates an opening that could be abused by a malicious person who 
uses the administrative account. 


8. Click OK to apply the restrictions and close the Windows Restrictions tool. 
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Block ActiveX Controls in Internet Explorer 


Internet Explorer provides a method of controlling security based on security zones, 
including being able to block ActiveX controls. Security zones contain lists of Web sites 
deemed to have similar security settings requirements. The four zones provided are as 
follows: 


e Internet. Contains all Web sites that you have not placed in other zones. 


e Local Intranet. Contains all Web sites that are on the local network. By default, 
this zone includes all sites that bypass the proxy server (if a proxy server is being 
used) and all local network paths. 


e Trusted Sites. Contains Web sites that are believed to be safe. There are no sites 
in this zone by default. 


e Restricted Sites. Contains Web sites that could potentially be harmful. There are 
no sites in this zone by default. 


Although it is generally a good idea to leave each security zone set to its defaults, you can 
customize the security level for each site if the default settings are not adequate for a 
user. By default, the Internet security zone prevents the downloading and installation of 
unsigned ActiveX controls. To increase this security, you will customize the Internet 
security zone. 





To block ActiveX controls in Internet Explorer 
1. Logon as the Toolkit administrator. 


2. If necessary, remove restrictions from the user account for which you want to block 
ActiveX controls and configure Windows Disk Protection to Save changes with next 
restart. 


Log on as the user for which you want to block ActiveX controls. 
Start Internet Explorer. 

In Internet Explorer, on the Tools menu, click Internet Options. 
In the Internet Options dialog box, click the Security tab. 


Click the Internet security zone, and then click Custom Level. 
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In the Security Settings dialog box, disable each of the settings in the ActiveX controls 
and plug-ins section of the list. 


9. Logonas the Toolkit administrator again, enable restrictions for the user, and then 
restart the computer. 














Use Simple Site Filtering to Control Internet Access 


The Windows Restrictions tool provides a way to disable Internet access. Although it might 
be necessary on some shared computers to enable Internet access, you should limit the 
sites to which a user can connect. 


If your network does not use a proxy server for Internet access, manually enter proxy 
exceptions in Internet Explorer for sites to which you want to allow access and then use 
Windows Restrictions to disable Internet access (for more information, see Chapter 4, 
“Windows Restrictions”). 
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To manually enter proxy exceptions in Internet Explorer 
1. Logon as the Toolkit administrator. 


2. If necessary, remove restrictions from the user account for which you want enter proxy 
exceptions and configure Windows Disk Protection to Save changes with next restart. 


Log on as the user for which you want to enter proxy exceptions. 
Start Internet Explorer. 
In Internet Explorer, on the Tools menu, click Internet Options. 


In the Internet Options dialog box, on the Connections tab, click LAN Settings. 


oe Oe OU 2 


In the Local Area Network (LAN) Settings dialog box, select the Use a proxy server for 
your LAN check box, and then click Advanced. 


8. In the Proxy Settings dialog box, in the Exceptions section, enter the URLs for the Web 
address to which you want to allow access, and then click OK. 


9. Click OK, and then click OK again. 


10. Log on as the Toolkit administrator again, enable restrictions for the user (including 
disabling Internet access), and then restart the computer. 
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Use a Central Script for Common Client Updates 


If you have a number of shared computers on a network, there may be times when you 
need to apply an update or perform an installation on all of those shared computers even 
though Windows Disk Protection is turned on. To address this issue, you can use the Other 
Script option in Windows Disk Protection to call a common script from a network location. 


For example, you could keep a script named sharedupdate.bat in a shared folder on the 
network. Generally, you would keep this script empty—a blank document. Each day during 
the regular update process, shared computers would execute this empty script to no 
effect. When you want the shared computers to run a script (Say to install a new program), 
you could simply add the proper script to the sharedupdate.bat file. After the regular 
update cycle, when all of the shared computers have run the script, you could return the 
sharedupdate.bat file to its empty state. 





Restrict Children on a Family Computer 


Although not the intended purpose of the Toolkit, one exciting possibility the Toolkit offers 
is the ability to restrict the actions of other kinds of users in other environments. One such 
environment is a home computer used by children. 


On a home computer, the Windows Restrictions tool makes it easy to control the Windows 
features and programs to which a child can access. For example, you could restrict a child 
in the following ways: 


e Prevent the child from using Internet Explorer or Windows Messenger. 
e Prevent the child from changing the profile used to log on to Windows. 
e Apply time restrictions to the child’s computer use. 


e Restrict access to Windows features that would enable the child to modify 
configurations or run inappropriate programs. 
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Important 


The examples provided here 
are not intended as 
prescriptions for keeping your 
child safe, but as examples of 
how you could use the tools in 
the Toolkit to help implement 
a security and privacy plan for 
your child. The document 
Learning Resources for New 
Users provides links to a 
number of online resources 
that you can use to learn 
more about children and 
computers. 


e Restrict the features and programs that are available on the Start menu. 


You could also use the Windows Disk Protection tool to ensure that children cannot make 
permanent changes to the Windows configuration. In addition, Windows Disk Protection 
would prevent children from being able to install soyware or malware (whether the 
installation is accidental or purposeful). 


Example 1: Restrict a Young Child 

For a young child, particularly one who is first learning to use a computer, a parent’s goal 
is both to protect the child from the dangers associated with online activity and to protect 
the computer from the fearless explorations of the child. 


You could use the Toolkit to restrict a young child’s activities in the following ways: 
e Windows Restrictions 


o Lock the user profile so that no permanent configuration changes are 
allowed. If you lock the user profile, you can redirect the My Documents folder 
for the user profile to a folder on a persistent partition so that the child can 
still save documents. You could also store the user profile on the Windows 
partition and turn on Windows Disk Protection for additional protection. 


o Configure the Start menu so that only local games are available—not Internet- 
based games. You could also make games that have inappropriate content 
unavailable to young children. 


o Disable Internet access. Experts suggest that young children only be allowed 
access to the Internet when parents or teachers are there to help them, or at 
least only be allowed to use the Internet on a computer that is in a public 
family area. 


o Disable Windows Messenger. Most experts agree that instant messaging 
programs are not appropriate for young children. 


o Prevent disk access to all disks except the disk on which the child is allowed 
to store documents. 


o Settime restrictions that enforce the limits you have chosen for your family. 


o Configure Windows Restrictions to prevent access to areas of the operating 
system the child should not be involved with. 


o Configure Start menu restrictions to prevent access to operating system 
features and programs. 


e Windows Disk Protection 


o Turn on Windows Disk Protection so that changes a child makes are not 
saved. This is especially important if you allow the child to access the 
Internet, e-mail, Windows Messenger, or have access to configuration tools. 


Example 2: Restrict a Teenager 


For a teenager, you will probably want to set fewer restrictions than for a young child. In 
particular, teenagers will often need access to the Internet, e-mail, and Windows 
Messenger. Teenagers will also find it more important to be able to configure their desktop 
environment, and might even enjoy having access to other configuration tools so that they 
can learn more about the operating system. 
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You could use the Toolkit to restrict a teenager’s activities in the following ways: 


e Windows Restrictions 


Oo 


Do not lock the user profile. Teenagers will want to be able to configure their 
environment. Redirect the My Documents folder for the user profile to a 
folder on a persistent partition and also store the user profile on a persistent 
partition, such as a D: drive. 


You may want to configure the Start menu so that some Internet games are 
available to your teenager. If not, you should configure the Start menu so that 
only local games are available. 


Enable Internet access and Windows Messenger. You might want to use the 
privacy options in Internet Explorer or configure additional parental controls 
for Internet use. 


Set time restrictions that enforce the limits you have chosen for your family. 


Configure Windows Restrictions to prevent access to some areas of the 
operating system. 


Configure Start menu restrictions to prevent access to operating system 
features and programs. 


e Windows Disk Protection 


Oo 


Turn on Windows Disk Protection so that changes made to the Windows 
partition are not saved. 





Add Third-Party Software Restrictions 


The command-line tool Restrict.wsf allows you to configure restrictions for a user profile by 
using restrictions stored in an XML file. Examples of ways that you can use this tool with 
an XML file include the following: 


e Use a preconfigured XML file to apply restrictions to users. The Toolkit includes 
several sample XML files in the XML folder inside the program’s folder (C:\Program 
Files\Microsoft Shared Computer Toolkit\xml) by default. For example, the file 
Restrict.Office.XML can be used to restrict Microsoft programs and also customized to 
restrict third-party programs. 


e Use Restrict.wsf to create an XML file for a user. You could then customize the XML 
file to add restrictions for the user or for additional users. 


e Use Restrict.wsf to apply an XML file to a user. 


e Use Restrict.wsf to lock or unlock a profile. 


For details on syntax for using Restrict.xml, see Microsoft Shared Computer Toolkit Help. 
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Create a Mandatory Profile for Multiple Users 


Mandatory user profiles are essentially roaming profiles to which users cannot make 
permanent changes. Mandatory user profiles are available in Windows XP Professional, 
but not in Windows XP Home Edition. Mandatory user profiles are stored on a network 
server and are downloaded and applied each time a user logs on. The profile is not 
updated when the user logs off. The Lock this Profile option in the Windows Restrictions 
tool works by turning the user profile into a mandatory user profile. This means the profile 
also becomes a roaming profile and is available for use on different computers on the 
network. 


The advantage of using a mandatory profile is that you can make changes only to the 
master mandatory profile and have that profile used on any shared computer. The 
potential disadvantage of mandatory profiles is that the shared computer must have 
network access for a user to log on. If a mandatory user profile is unavailable, the user 
cannot log on. 


To create a mandatory profile for multiple users: 
1. Create a shared folder on a network server that will hold profiles. 
2. Create a subfolder in that shared folder for each mandatory profile you want to use. 


3. On each shared computer, use the Computer Management tool to open the Properties 
dialog box for each user account that will use the mandatory profile. In the dialog box, 
on the Profile tab, in the Profile Path box, type the network path to the share where 
the profile is saved (for example, \\server1\profiles\user1). 


4. Create, configure, and restrict a user profile and then copy that user profile to the 
appropriate network share. 


5. Inthe network share, in the profile folder, rename the Ntuser.dat file to Ntuser.man. 
This changes the profile from a simple roaming profile to a mandatory profile. 











For more information about how to create and use mandatory user profiles, consult the 
following resources: 


e For general information on roaming and mandatory profiles, read User Profiles 
Overview. 


e For steps on assigning a mandatory profile to a user account in Windows XP, read How 
To Assign a Mandatory User Profile in Windows XP. 





Image or Clone a Toolkit-Secured Computer 


When you install Windows XP Professional on several computers that have identical 
hardware configurations, the most efficient installation method to use is disk imaging—a 
process that is also referred to as cloning. This method involves the following actions: 


e ©Configuring a reference computer 
e Running the System Preparation Tool to prepare the computer for imaging 


e =©Creating an exact image of that computer’s hard disk and transferring that image to 
the hard disks of other computers 


e Performing some final tasks on the cloned computer 


J) Note 


When you create a disk 
image, all the hardware 
settings of the reference 
computer become part of the 
image. Thus, the reference 
computer should have the 
same (or similar) hardware 
configuration as the 
destination computers. If the 
destination computers 
contain Plug and Play devices 
that are not present in the 
reference computer, these 
devices are automatically 
detected and configured at 
the first startup following 
installation. The user must 
manually install any devices 
that are not Plug and Play . 
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Configure a Reference Computer 


You must first configure a reference computer that will be cloned. Configuring a reference 
computer involves the following tasks: 


e Install the operating system. Install either Windows XP Professional with SP2 or 
Windows XP Home Edition with SP2. 


e Prepare the hard disk for Windows Disk Protection. For more information, see 
Chapter 2, “Prepare the Disk for Windows Disk Protection.” 


e = Install the Microsoft Shared Computer Toolkit for Windows XP. For more information, 
see Chapter 1, “Installation.” 


e Create local limited user accounts. For the reference computer, create a superset of 
all the user accounts you will need on all the shared computers. You can always 
remove accounts you won’t need from specific computers. 


e Create and customize the user profiles for each account. For more information, see 
Chapter 3, “User Profiles.” 


e Configure Windows Restrictions on the computer. For more information, see 
Chapter 4, “Windows Restrictions.” 


Use the System Preparation Tool 

After you configure the reference computer, your next step is to prepare the computer for 
imaging. Many settings on a Windows XP Professional computer must be unique, such as 
the Computer Name and the Security Identifier (SID), which is a number used to track an 
object through the Windows security subsystem. To address this need, Windows XP 
Professional provides a utility called the System Preparation Tool (Sysprep.exe) that 
removes the SID and all other user-specific and computer-specific information from the 
computer, and then shuts down the computer so that you can use can use a disk 
duplication utility to create a disk image. The disk image is simply a compressed file that 
contains the contents of the entire hard disk on which the operating system is installed. 


Typically, when a client computer starts Windows XP Professional for the first time after 
loading a disk image that has been prepared with Sysprep, Windows automatically 
generates a unique SID, initiates Plug and Play detection, and starts the Mini Setup 
Wizard. The Mini Setup Wizard prompts for user- specific and computer-specific 
information, such as the End-User License Agreement (EULA), regional options, user name 
and company, product key, and so on. 


You can further automate the imaging process by including with your master image a 
special answer file named Sysprep.inf. Sysprep.inf is an answer file that is used to 
automate the Mini Setup process. It uses the same INI file syntax and key names (for 
supported keys) as Unattend.txt. Place the Sysprep.inf file in the %systemdrive%\Sysprep 
folder or on a floppy disk. If you use a floppy disk, insert it into the floppy disk drive after 
the Windows startup screen appears. Note that if you do not include Sysprep.inf when 
running Sysprep, the Mini Setup Wizard requires user input at each customization screen. 


To learn more about how to use the Windows System Preparation Tool, consult the 
following resources: 


e For an overview of imaging clients, see the TechNet Imaging Web site. 


e For information about how to customize Sysprep installations, see Customizing 
Sysprep Installations. 
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Create and Transfer a Hard Disk Image 

After you run the System Preparation Tool to prepare the reference computer for imaging, 
the tool shuts down the reference computer. At this point, you can use a third-party 
imaging tool to create an image of the computer’s hard disk. You can find 
recommendations for imaging tools by searching for drive copying utilities at the Windows 
Marketplace. 


Popular imaging utilities include: 
e Symantec Norton Ghost 9.0 
e §©Acronis True Image 8.0 


Post-Imaging Activities 

After you transfer an image to a new computer and start the computer, Windows 
generates a unique SID, initiates Plug and Play detection, and starts the Mini Setup 
Wizard. After installation finalizes, there are several tasks you must complete. These 
include to: 


e Activate Windows. You can learn more about this step in the article, “Description of 
Microsoft Product Activation.” 


e Validate Windows XP. You can validate Windows through the Windows Genuine 
Advantage Web site. Although it is possible that your copy of Windows has been 
validated automatically during activation, you should visit this Web site to make sure. 


e Turn on Windows Disk Protection. You can achieve this through the command line by 
using the DiskProtect command, which you can learn more about in Microsoft Shared 
Computer Toolkit Help. 


\Y] Note 


Windows Disk Protection 
disables the automatic 
client initiation of machine 
account password changes 
in the domain. Instead, 
Windows Disk Protection 
updates the password 
automatically every time 
disk changes are saved. Ata 
minimum, this happens 
during the scheduled critical 
updates process. 


Chapter 10: The Shared Computer 
Toolkit in Domain Environments 


This chapter of the Handbook focuses on using the Shared Computer Toolkit on 
computers in a domain environment, and handling other enterprise-level requirements. 
Specifically, this chapter covers: 


e = Working with Active Directory 
e Central software management and Windows Disk Protection 


e User profiles in other languages 





Working with Active Directory 


The Active Directory® directory service offers significant benefits for shared computer 
environments that use a network. For example, Active Directory gives network users 
controlled access to resources anywhere on the network using a single set of credentials. 
It also provides network administrators with an intuitive, hierarchical view of the network, 
and a single point of administration for all network objects. 


Active Directory also provides a better environment for managing user accounts than 
using limited local accounts on the shared computer if users will have their own unique 
user accounts. 


All of the restrictions available in the Windows Restrictions tool are available by using 
Group Policy in an Active Directory environment. In fact, Group Policy is a far more 
effective tool than Windows Restrictions for restricting domain-joined computers. Windows 
Restrictions is more useful if you plan to use local user accounts on the shared computer. 


The functionality of Windows Disk Protection is something that Active Directory cannot 
provide, however, and is one of the main attractions for using the Toolkit in an Active 
Directory environment. 


To use Active Directory, each computer must be configured as a member of the domain. 


Windows Disk Protection on Domain-Joined Computers 


When a computer running Windows XP Professional is joined to an Active Directory 
domain, the computer uses a machine account password to authenticate with the domain 
and gain access to domain resources. By default, the domain-joined computer initiates a 
change to the machine account password automatically within every 30-day period. A 
domain controller accepts the password change and allows the domain-joined computer 
to continue to authenticate. The new password is stored within Active Directory and locally 
on the domain-joined computer. If a password change fails, or if a domain-joined computer 
attempts to use an incorrect password, the computer will not be able to access the 
domain. 


When Windows Disk Protection is turn on, the tool disables the automatic client-initiated 
machine account password updates on the shared computer. Windows Disk Protection 
then manually initiates a password change every time disk changes are saved. Ata 
minimum, this happens during the scheduled critical update process. 


Important 


Domain-joined clients 
running Windows Disk 
Protection must not run for 
30 days or longer in either 
Retain changes mode, 
otherwise they will become 
unjoined from the domain 
due to a stale machine 
account password. 


Important 


Before you customize the 
default user profile, create a 
copy of it. To do this, copy 
the default User folder 
located in the Documents 
and Settings folder on the 
Windows partition. 
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The reason for this change in functionality is that if a shared computer with Windows Disk 
Protection enabled were to initiate a machine account password change, a new password 
would be created in Active Directory but upon restarting the shared computer, Windows 
Disk Protection would revert to the previous password. This would cause an inability to 
access the domain. 


If you enable either of the Retain changes modes in Windows Disk Protection, no changes 
to the Windows partition are saved. If a machine account password change is made while 
one of these modes is enabled and changes are not saved within the maximum number of 
days allowed for a password change by the domain (30 days, by default), the machine 
account passwords will become out of sync. Therefore, you should not run a shared 
computer for 30 days or longer when either of the retain changes modes are selected. 


Create a Persistent Local User Profile for a Domain Account 


For some domain accounts used to log on to shared computers, you may find it necessary 
to create persistent local user profiles. To create a persistent domain user profiles, you 
must use the UserProfiles.wsf command-line tool. To create a user profile, use the 
following command syntax: 


UserProfiles.wsf /create username password domain drive 


For example, to create a profile on drive D for a user named User‘ in the Contoso domain 
with the password UserPass5, you would use the following command: 


UserProfiles.wsf /create User1 UserPass5 Contoso D 


Restrict the Default User Profile to Affect all New Profiles 


Although Windows Restrictions is not intended for use by domain accounts (and using 
Group Policy is a far better choice, anyway), you might encounter some domain scenarios 
that benefit from having the default user profile restricted. For example, you might need to 
have certain restrictions in place before you apply Group Policy or you might not want to 
create a special Group Policy for a particular restriction. 


When a user logs on to Windows XP for the first time with a new user account, Windows 
uses a built-in default user profile as a template to create a new user profile. You can 
customize and restrict the default user profile so that new users all have the same 
experience when they first log on. Restricting the default user profile also lets you ensure 
that users with Active Directory or Novell user accounts that log on to the shared computer 
begin with a properly restricted profile. 








To create a custom default user profile 
Log on as the Toolkit administrator. 


2. Create a new limited local user account. 
3. Log off and then log on as the local user account that you just created. 
4. Customize the profile. For example, you could: 


« Customize the Start menu 

« Customize the Desktop and Taskbar. 

« Install and configure printers. 

Log off and then log on as the Toolkit administrator. 
Click Start, and then click My Computer. 

Click the Tools menu, and then click Folder Options. 
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8. In the Folder Options dialog box, on the View tab, under Advanced settings, click Show 
hidden files and folders, and then click OK. Several of the files in the new profile are 
hidden by default, so hidden files must be shown to be copied to the new custom 
default user profile. 


9. Click Start, right-click My Computer, and then click Properties. 


10. In the System Properties dialog box, on the Advanced tab, under User Profiles, click 
Settings. 


11. In the User Profiles dialog box, click the user profile that you just created and 
customized, and then click Copy To. 


12. In the Copy To dialog box, under Copy profile to, click Browse, click the C:\Documents 
and Settings\Default User folder, and then click OK. 


13. Under Permitted to use, click Change, click Everyone, and then click OK. If Everyone is 
not available, click Advanced, click Find Now, click Everyone, and then click OK. 
Windows XP will now assign the custom default user profile to any new user who logs 
on to the computer. 


14. After creating the custom default user profile, you can use Windows Restrictions to 
configure restrictions that you want to be applied to new users. 
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Central Software Management and Windows Disk Protection 


When Windows Disk Protection is on, software updates to the computer are ideally 
performed through the critical updates process offered by Windows Disk Protection. 
Windows Disk Protection keeps the computer trustworthy by first performing a regularly 
scheduled restart to clear all disk changes, and then downloading and installing the 
required updates on top of this trusted base. Unless these changes of the day are cleared 
first, there really isn’t any benefit to using Windows Disk Protection. This model is a little 
less flexible than many central software management models in which updates can be 
initiated centrally and scheduled to occur at any time. 


A centrally-managed software distribution system, such as Microsoft Systems 
Management Server (SMS), can provide the flexibility to schedule software updates to 
occur at any time, but this flexibility cannot be easily matched by Windows Disk Protection. 


If your organization has a strong need to regularly change the schedule for software 
updates, rather than following a fixed schedule you set within Windows Disk Protection, 
you may want to consider whether Windows Disk Protection is right for your environment. 


In contrast, if you can integrate your centrally managed software update process into the 
client-driven Windows Disk Protection update process, you might find a happy medium in 
which central software distribution and Windows Disk Protection can co-exist. 


It is also important to note that the software management model used by Windows Disk 
Protection might not be appropriate for environments with portable computers that are 
routinely disconnected or turned off at the time when the Windows Disk Protection critical 
updates process is scheduled to occur. 





User Profiles in Other Languages 


The Multilingual User Interface Pack (MUI) is a set of language-specific resource files that 
you can add to the English language version of Windows XP Professional. Using MUI, your 
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V) not 


MUI for Windows XP 
Professional is sold only 
through Volume Licensing 
programs. 


users can change the interface language of the operating system to any of 33 supported 
languages. After you install the Toolkit, you can specify the user interface language for 
your users. 


MUI Requirements 


MUI will run on computers that run Windows XP Professional, but not on Windows XP 
Home Edition. 


Windows XP MUI is sold only through Volume Licensing programs such as the Microsoft 
Open License Program (MOLP/Open), Select, and Enterprise agreement. You can request 
an OEM version of MUI, although MUI is not available through retail channels. This is to 
ensure that customers have the English version of the operating system running on their 
computers before they install MUI. 


For more information about MUI and its requirements, see the Windows Server 2003 
Windows XP & Windows 2000 MUI page at 
www.microsoft.com/globaldev/ DrIntl/faqs/muifaq.mspx. 








How to Install MUI 


MUI includes six CDs: one that contains the English version of Windows XP Professional, 
and the remaining five for the MUI Resource Files. After you use the first CD to install 
Windows XP Professional, you can run the program MUISetup.exe from any of the five 
resource CDs to install the User Interface Languages. You can install as many of the 
languages as necessary. You can also remove languages at any time. 


How to Change the Input Language 


After you install MUI, you can use the Regional and Language Options dialog box in Control 
Panel to define the standards and formats the computer uses, a user’s location, and the 
input languages used by the user profile. 


The input language configured for the computer tells Windows how to react when text is 
entered using the keyboard. With multiple languages configured, a user can toggle 
between languages as needed. You can add an input language in a user profile as long as 
you have installed the appropriate language from MUI. 








To add an input language for a user profile 
1. Logon as the user for which you want to add an input language. 


2. Click Start, and then click Control Panel. 
3. In Control Panel, click Date, Time, Language, and Regional Options. 
4 


In the Date, Time, Language, and Regional Options window, click Regional and 
Language Options. 


5. Inthe Regional and Language Options window, on the Languages tab, in the Text 
Services and Input Languages section, click Details. 


6. Inthe Text Services and Input Languages dialog box, click Add. 
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Settings | Advanced 





Default input language 


Select one of the installed input languages to use when you start your 
computer. 


English (United States] - US 





Installed services 


Select the services that you want for each input language shown in the 
list. Use the Add and Remove buttons to modify this list. 





‘®) English (u nited States) 
“4 Advanced Text Services 
» Ink Correction 


Keyboard 
» US 


Preferences 


Language Bar... Key Settings... 


igure 10.1 Add an input language for a user account 
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In the Add Input Language dialog box, click the language you want to add. To choose a 
specific keyboard layout, select the Keyboard Layout/IME check box and choose the 
appropriate layout. To add a keyboard layout or input method editor (IME), you need to 
have installed it on your computer first. Click OK. 


In the Text Services and Input Languages dialog box, the Default Input Language drop- 
down list, click the language that should be the default language, and then click OK. 
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Appendix A: Technical Primer 


To set up the Microsoft® Shared Computer Toolkit for Windows® XP and manage shared 
computers requires familiarity with a number of technologies and Windows features. 


This appendix covers the following topics: 

e User accounts and profiles 

e How the User Profiles tool works 

e How the Windows Restrictions tool works 
e Disks and partitions 


e How the Windows Disk Protection tool works 





User Accounts and Profiles 


A user account is a collection of information that defines a user. This information includes 
the username, password, groups to which the user belongs, basic environment settings 
that apply to the user, and other details about the user. 


Auser profile is a group of settings and files that defines the environment that 

Windows XP loads when a user logs on. It includes all the user-specific configuration 
settings, such as program items, screen colors, network connections, printer connections, 
mouse settings, and window size and position. A user profile also allows you to specify 
different programs, languages, and accessibility features for each user account. 


A user profile consists of two parts: 


e Asset of folders and files stored on the hard disk. By default, these folders are 
stored in the Documents and Settings folder on the Windows partition. As you can 
see in the following figure, Windows creates a folder for each user profile in the 
Documents and Settings folder. A user folder is a container for programs and 
other operating system components to populate with subfolders and user-specific 
settings, such as shortcut links, desktop icons, startup programs, documents, 
configuration files, and so on. Windows Explorer uses the user profile folders 
extensively for special folders such as the user's desktop, Start menu and My 
Documents folder. 


e §6A registry data file. The registry is a database used to store computer-specific and 
user-specific settings on a computer running Windows XP. Portions of the registry 
can be saved as files. Windows can then reload these files for use as necessary. 
User profiles take advantage of this feature to provide user profile functionality. 
The user profile registry file for each user is saved as a file named Ntuser.dat in 
the profile folder. The information in this file is mapped to the 
HKEY_CURRENT_USER portion of the registry whenever the user logs on. It stores 
those settings that maintain network connections, Control Panel configurations 
that are unique to the user (Such as the desktop color and mouse settings), and 
program-specific settings. 
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Figure A.1 A user profile is a collection of files and folders. 


Local user profiles are stored in the manner just described, but different types of profiles 
also exist. A user's data can be stored on the local hard disk drive, or can be set so that 
the data roams with the user wherever he or she logs on. The following types of user 
profiles are available in Windows XP: 


e Local user profile. Created the first time that a user logs on to a computer, the 
local user profile is stored on a computer's local hard disk. Any changes made to 
the local user profile are specific to the computer on which the changes are 
made. 


e Roaming user profile. The local profile is copied to (and stored in) a network- 
accessible location. This profile is downloaded every time that a user logs on to 
any computer on the network, and any changes made to a roaming user profile 
are synchronized with the server copy upon logoff. 


e Mandatory user profile. A type of profile that administrators can use to specify 
particular settings for users, a mandatory profile is essentially a roaming user 
profile to which a user cannot make permanent changes. Only system 
administrators can make changes to mandatory user profiles. Changes made by 
the user to desktop settings are lost when the user logs off. A mandatory user 
profile is often referred to as stateless, which just means that changes made in 
the session are not saved in the profile. This is useful on shared user accounts 
where one user should not be able to change the experience of other users. The 
Lock this profile option in the Windows Restrictions tool works by turning the user 
profile into a mandatory user profile (and thus, a roaming profile). 


e Temporary user profile. A temporary profile is issued any time that an error 
prevents the user's default profile from being loaded. Temporary profiles are 
deleted at the end of each session — changes made by the user to desktop 
settings and files are lost when the user logs off. 
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How the User Profiles Tool Works 


Typically, a user profile is not created until the first time that a user logs on to the 
computer with a new user account. When this logon happens, Windows automatically 
creates a new user profile for that user account. The User Profiles tool lets you create user 
profiles without logging on as the user and, more importantly, lets you create profiles on 
alternative hard disk partitions. You can also delete user profiles for existing user 
accounts. This includes the ability to delete profiles locked by Windows Restrictions (which 
are really mandatory user profiles). 


When you create a profile using the User Profiles tool, the tool simulates logging on with 
the user account so that it can create the user profile (though this simulation is completely 
transparent to the user). After creating the profile, if you specified that the profile be 
created on an alternative partition, the tool moves the profile to that partition. 





How the Windows Restrictions Tool Works 


Most of the restrictions available in the Windows Restrictions tool work by modifying the 
registry settings related to a user profile. Locking a profile in Windows Restrictions turns 
that profile into a mandatory profile that is stored within /Documents and 
Settings/<user>.orig. 


You can view the exact list of restrictions applied to HKEY_CURRENT_USER for each 
restricted user profile by viewing the file Restrict.xml in the Xml subfolder of the Toolkit 
installation. 


When the Windows Restrictions tool restricts a user, a copy of Restrict.xml is created 
called User.<user>.xml that contains the exact list of restrictions applied to that user 
profile. This file can be manually customized (with extreme care) and applied again using 
the Restrict.wsf command-line tool on other local profiles. To help advanced operators 
with this customization process, this appendix lists all of the registry settings contained in 
these xml files and what they do. 


Microsoft cannot support any customizations made to Restrict.xml, because it drives much 
of the user interface in the Windows Restrictions tool. It is strongly recommended and 
preferred that you customize a User.<user>.xml file and process it using the Restrict.wsf 
command-line tool. However, if you plan to change Restrict.xml despite these support 
implications, be sure to make a backup copy and do not modify the restrictions within the 
General Settings section, because it is the one section that is closely tied to hard-coded 
fields in the user interface of the Windows Restrictions tool (contained in Restrict.hta). 





Disks and Partitions 


A partition is a logical section of a hard disk on which Windows can write data. Every hard 
disk must be partitioned before it can be used. Often, a hard disk is set up as one big 
partition, but you can divide a hard disk into multiple partitions. When you partition a hard 
disk, you decide how much space to allocate to each partition. 


For example, assume that your computer has an 80-GB hard disk. If you purchased your 
computer with Windows XP already installed, or if you installed Windows XP using the 
default choices during installation, the hard disk likely has a single partition that takes up 
all of the 80 GB on the disk. However, you could divide that same disk into multiple 


unallocated space 
Unused space on a hard 
disk that is not part of any 
partition. 


Windows partition 

The hard disk partition that 
holds the Windows system 
files. The Windows partition 
is the partition protected by 
the Windows Disk Protection 
tool. 


protection partition 

The partition that the 
Windows Disk Protection 
tool uses to safeguard the 
computer from changes that 
you have not authorized. 
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partitions—maybe a 40-GB partition to hold Windows and program files, a 20-GB partition 
to hold your documents, and another 20-GB partition for future use. 


When you partition a hard disk, you do not have to use all of the space on the hard disk at 
once. For example, on the 80-GB hard disk, you could create a single 40-GB partition and 
leave the rest of the space unpartitioned. Unpartitioned space on a hard disk is called 
unallocated space. 


Windows XP treats each partition on a hard disk as though it were a separate drive, 
assigning each partition a drive letter. Typically, the first partition (and the one that usually 
holds the Windows system files) is assigned drive letter C. This Handbook refers to the 
partition that holds the Windows files as the Windows partition. Other partitions are 
assigned drive letters as they are created, and the exact drive letters assigned depend on 
when the other partitions are created (during installation or afterward) and on what other 
drives you have on the computer (Such as CD or DVD drives). 


Windows can recognize up to four primary partitions. To get around this limit, Windows 
allows you to create an extended partition (in place of one of the four primary partitions) 
that acts as a shell in which you can install any number of logical partitions. Windows Disk 
Protection reduces the limit on primary partitions to three, plus the requirement for 
unallocated space. 





How the Windows Disk Protection Tool Works 


The Windows Disk Protection tool is designed to protect the Windows partition by rejecting 
all changes made to that partition since the last restart. Examples of changes include 
modifications to Windows configuration settings, installation of programs (including 
viruses and spyware), or even simple changes to the desktop environment. 


The Protection Partition 

To achieve this protection, the Windows Disk Protection tool creates a special partition 
using unallocated space on your hard disk. This special partition is called the protection 
partition. The tool saves changes made during the user session to that special partition, 
making it appear to the user as though everything is operating ordinarily. Depending on 
how the Windows Disk Protection tool is configured, the tool can discard changes made 
within the protection partition when a user session finishes or save those changes to the 
Windows partition. 


The Critical Updates Process 

During the computer restart, the Windows Disk Protection tool establishes a process that 
disables the Automatic Updates tool in Windows XP. (You can typically access this tool in 
the operating system if you click Start, click Control Panel, and then double-click Automatic 
Updates.) Any schedule set through the Automatic Updates tool in Windows XP will have 

no effect on the computer while Windows Disk Protection is on. After you turn on Windows 
Disk Protection, any scheduling changes that you want to make must take place in the 
Critical Updates section of the Windows Disk Protection tool. 


If you want to change the schedule for critical updates, set Windows Disk Protection to use 
the Save changes with next restart mode, make the appropriate changes, and then restart 
the computer. 


The Windows Disk Protection tool automatically uses the following process to apply critical 
updates at the scheduled time: 


1. Restart the computer to remove potentially bad changes on the disk. 
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2. Block users from signing on (except for the Administrator and the Toolkit 
Administrator accounts). 


3. Download and install critical updates. 
Set Windows Disk Protection to Save changes with the next restart. 


Restart the computer to save the disk changes, and return to the default Clear 
changes with each restart mode. 


While the Windows Disk Protection tool downloads and saves updates, it is important that 
you do not use the computer for any other activity so that you do not accidentally save 
unwanted changes along with the updates. 


For this reason, you will probably want to schedule the critical update process to occur 
during the lightest user demand period of the day in the environment that you manage. If 
you manage a business that operates 24 hours a day, consider staggering the critical 
update time among the computers that you manage so that some computers are always 
available to users. 
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Notes 


Use this space to record useful information about your computer. If you operate more than 
one computer, print or make a copy of this page for each computer. 


Registration code for the Toolkit: 
Computer name: 
Workgroup (or Domain): 


Other information 


